Single sign on (SSO) with Keycloak + Active Directory + Angular

Single sign on (SSO) with Keycloak + Active Directory + Angular | Microservice Security Practical

Рет қаралды 30,290

Күн бұрын

To Support my work : www.paypal.me/...
In current enterprise architecture, every system we are designing/developing usually has hundreds of thousands of users. so recreate those users on our system is an obvious outdated strategy.
also, asking for their credential, again and again, is a bad user experience. instead of we can use their local workstation credentials, domain account, Facebook, Google, Apple such account then it will be a very rich user experience.
in this video, I am going to demonstrate how we can do that single sign-on feature practically. for that, I am using Active directory which is the most used directory service, and keycloak which is most popular open-source free Authorization server, and Angular which is known to the most famous front-end framework.
#krish #KrishDinesh #MicroserviceSecurity
Pre-requisites :
Concept / channages of Microservice security • How to Secure Enterpri...
what is oAuth and OpenId Connect : • [008] How to Secure Mi...
Stay in touch:
Facebook: / krish.dinesh.official
Instagram : / krish.dinesh.official
twitter: / krishantha (@krishantha )

Пікірлер: 44

@sushaindilishan1237 3 жыл бұрын

You re literally throwing money stacks at people to catch...!! :D :D Thank you.

@tharangawijeweera5791 3 жыл бұрын

The way you explained is great and easy to understand. The knowledge that was shared helped me to get a clear picture, which filled the gaps of the knowledge I had. Thank you so much.

@shishirroy1516 3 жыл бұрын

I must say. it's an excellent session. Can you create a series or session on [Keycloak+ Service provider init & Identity provider] using SAML

@kalhariliyanagama 2 жыл бұрын

Hi, I found your channel when searching for Keycloak/AD content. First I thought you're Indian (Krish :) ) and was pleasantly surprised that you are a fellow Lankan. I haven't seen many Sri Lankans doing tech content. Nice work and keep it up. A question though, if the we want to integrate keycloak with another org's AD, we cannot use the identity broker option right, if ADFS is used then yes we can integrate ADFS as the identity provider, otherwise we will have to use the user federation isnt it? Second Q: If we integrate AD with user federation or ADFS as an Identity Provider, does it provide SSO? I'm guessing no

@krish 2 жыл бұрын

Thank you :) 1. Technically you can use ID brokering option if you can establish network connection and remote server allow you to authenticate from them. OIDC SAML such protocol can use for that. 2. in other hand Identity federation is a very generic term. it depends on how you use it. in one of my video I shown this by sync remove auth database. that option practically not possible if it with other org IDP. i feel you mix the term. if you use ADFS then use SSO depends on config of AD. if it add SPNEGO token to session the browser can recognize the session

@kalhariliyanagama 2 жыл бұрын

@@krish Thank you for the prompt reply. I was referring to traditional on-premise AD here, so yes if Azure AD or ADFS is used ID brokering can be used. I thought with on-premise AD you can't integrate with applications outside the company firewall. I will do some more research on SSO thing, thanks again

@poosingh7648 2 жыл бұрын

Amazing sir..amazing explanation

@jdk0asdf 3 жыл бұрын

Very nice explanation. Can we do it other way around. Keycloack as IDP and Microsoft Service like power BI as Service provider.

@binarytech8457 Жыл бұрын

Interesting product. Can it be used for managing access to Windows servers?

@sunils5834 3 жыл бұрын

Awsum video. learnt a lot! please make a video on user federation as well.

@nikolabozic3918 3 жыл бұрын

Wow great explanation

@solardepotnigeria5927 2 жыл бұрын

Thank you for taking your time to do this video. Could you share insight on how to integrate keycloak with Apache Drupal site using Active Directory /LDAP as authentication method. Thanks

@krish 2 жыл бұрын

sorry.. i am not an expert on CMS

@matjazhafner2000 2 жыл бұрын

Great video. Is it possible to restrict access depends on groups/roles? Lets say we have 2 groups in azure ad (users and admins). Only admins can create new users. Users from user group can only list users.

@AlanDevOps Жыл бұрын

Did you find a way of doing this?

@nareshreddygondewar3885 Жыл бұрын

Hi Krish , It's a great video from you and thanks sharing valuable content with us . Could you please make a video for user federation if you already post . Kindy share the url please . Thanks a lot .

@c1i2s3c4o5 10 ай бұрын

Great Video Sir, this is really a savior for my scenario, immediately subscribed the channel Please make a video on User federation, if already uploaded, then please share the link Also, I want to take keycloak training, please suggest how to contact you

@thatoshebe5505 2 жыл бұрын

When are you making the video on policies?

@hyp3rvirus Жыл бұрын

how to make a trust between Keycloak and Kerberos realm not to use redirection to KDC site? I don't want to authenticate twice using my OpenID password and Kerberos password for non-gssapi and spnego services. For example using Active Directory - FreeIPA two-ways trust it is enough to be authenticated by only one realm to connect to a service of another realm.

@sandeeprao7599 Жыл бұрын

Hi Sir, Do you have this angular code with keycloak integration in github?

@shivamgupta5476 3 жыл бұрын

Make a video on User federation

@AshinsanaMayuminda 2 ай бұрын

can u do an another for LDAP and kerberos

@TataRaog-dj5ww 2 ай бұрын

please do full course in pingfederate sir

@savitrigalatge6491 2 жыл бұрын

Hi, actually we integrated keycloak with angular using oauth2 but aftr that token api is not getting .??? Please help me to out from this issue. 🙏🏻

@shobie23 2 жыл бұрын

Any help about CORS issue in Keycloak?

@MohammadAli-pt6jq 3 жыл бұрын

This was really helpful in terms of understanding Keycloak integration. I have couple of doubts in this, regard hope you will guide me or atleast give me solution. I'm planning to implement SSO using Keycloak. We have two different products contains mobile and web. Two products have their own database. Now Product1 users should be able to access Product2 and vice versa. What is best approach? In this scenario does SSO solve our problem? If so how do i approach since two isolated. databases. Could you please guide me or help in understand the solution. And since users already using product we should not ask them register, should be able to use as even with SSO. Thanks in advnce and thanks for the wonderful videos.

@krish 3 жыл бұрын

I am not clear abut your problem. by saying "Two products have their own database" if you mean they have their own users on own databases then you can use keycloak as SSO. how you should do is you can go user federation option of keycloak and set your user stores to keycloak. so it will have 2 federated user stores.

@MohammadAli-pt6jq 3 жыл бұрын

@@krish apologize for the delayed response. Yes You are right we have two different products in different databases. And planning to host keycloak and make use of it. However how do I make sure that end user dont have logout and login back and store the information in keycloak database. Basically how do I support this for existing users.

@earther-v2w 2 жыл бұрын

how do we logout

@sonujha766 Жыл бұрын

is there any way to skip the keycloak login theme and put it there domain input field where the user enter the company domain and if its valid then they will be redirected to microsoft azure login portal and there they enter the credential and get logged in

@neerajk.9249 8 ай бұрын

Exactly what I need is this. Did you find any solution for this?

@hirendra9620 3 жыл бұрын

How to implement keycloak in angular ssr?

@shubhamswaraj1968 3 жыл бұрын

Some companies use their own Identity providers, so they create it from scratch or implement using already existing IDPs?

@krish 3 жыл бұрын

in most cases Architects use existing IDP as create own from scratch is lots of work as well as heavy risk. you need security professionals in your team to do so to make sure no vulnerabilities in the IDP it self. since we can find bunch of ready made IDPs we can choose one

@keycloakuser4716 3 жыл бұрын

Hello Krish, it seems like the login workflow always starts from the SP (localhost:4200). Does keycloak not support IDP init login? For example, the user logs on to AD, and then clicks on a link that performs SSO and logs on the user to SP? Can you share details?

@krish 3 жыл бұрын

It do support. If user already have an session authGuard will by pass the login flow. I think I demonstrated that in the video

@keycloakuser4716 3 жыл бұрын

@@krish The user had to manually go to localhost:4200 and then because the user had an active authGuard session, we skipped the login flow. But, my question is, can the user just click on some link in authGuard which will automatically login the user to localhost:4200?

@krish 3 жыл бұрын

I don’t think i do understand your use case. If you can write down what you need to do it would help. Or inbox me to page so we can have a chat about this

@arjunanke7043 3 жыл бұрын

Hi , I created an account app registrations, after I created new client secret. After I'm not able to see the Endpoints tab , but I saw the Delete and Preview features tab. Could you please help me out as soon as .

@vasuthevanpalani7033 2 жыл бұрын

it will not work on the personal account, u just select "Owned applications" and create new registration from there