Keycloak Password Policy

Overview

KeyCloak can be used to enforce your organization’s password policy for a more secure authentication. Users will be able to define a single, global password policy via Keycloak, and enable any policy type.

The defined policy can be enforced in SecureTrack. Whenever a user sets a password that does not meet the policy requirement, SecureTrack will highlight the failed policy requirement.

The following policy types are available in Keycloak:

  • Expired password

  • Hashing iterations

  • Special Characters

  • Not Recently Used

  • Uppercase Characters

  • Lowercase Characters

  • Minimum Length

  • Regular Expression

  • Digits

  • Not the same as the Username

  • Hashing Algorithm

The password policy and the audit trail should be included in the backup file.

Use Cases

  • An admin/multi-domain admin/super admin sets a password for a new user (set in User Interface)

  • An admin/multi-domain admin/super admin changes a password for an existing user (set in User Interface)

  • An admin/multi-domain admin/super admin creates a new user using the st_add_user command.

  • A user/domain user/multi-domain user changes a password for himself using the Users page.

  • A user/domain user/multi-domain user changes a password for himself via the Login page.

Add a Keycloak Administrator User

To set the configuration password, you need to create a Keycloak Administrator user. This user can be deleted after the password policy has been created.

  1. In the server, run: 

    [<ADMIN> ~]$ kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r add_keycloak_admin_user -u <username>
    kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r add_keycloak_admin_user -u <username>

  2. Enter the new password for the Keycloak Administrator user.

    You can log into Keycloak using the credentials configured above:

    https://<ip>/auth/admin/master/console/
    https://<ip>/auth/admin/master/console/

Configure the Password Policy

Open the following URL and configure the password policy:

https://<ip>/auth/admin/master/console/#/realms/tufin-realm/authentication/password-policy
https://<ip>/auth/admin/master/console/#/realms/tufin-realm/authentication/password-policy

Following is the recommended password policy for secure authentication:

  • Minimum Length: 8 characters

  • At least two of the following properties:

    • Uppercase Characters: 1

    • Lowercase Characters: 1

    • Special Characters: 1

    • Digits: 1

  • Additional configuration:

    • Not Recently Used: 3

    • Not Username

Configure Audit

Open the following URL and configure the audit:

https://<ip>/auth/admin/master/console/#/realms/tufin-realm/events-settings
https://<ip>/auth/admin/master/console/#/realms/tufin-realm/events-settings

Under Admin Events Settings, set the following to ON:

  • Save Events

  • Include Representation

Delete the Keycloak Administrator User

After you complete the process, delete the Administrator user that you created to manage Keycloak.

  1. In the Keycloak Interface, switch to the Master realm, and go to Users.

  2. In the kebab menu () for the user click Delete.

Do not delete user integration_user, as this is the essential user for the SecureTrack integration.