Application management : Cloud : Cloud Configuration : Single Sign On : Using SAML : Configuring Keycloak : KeyCloak secure configuration considerations
KeyCloak secure configuration considerations
This section lists a number of security considerations that can enhance your security level when using Planon Single Sign On (SSO).
* 
Please be aware that these configuration settings are considerations that highly depend on the customers' requirements, their Identity Provider and the security policies within the customers' organization. Only IT staff that is trained in these configurations should deploy these considerations or contact Planon for consultancy.
Authentication
External identity provider
When delegating authentication to an external identity provider (IdP) you should consider the following:
Subject
Description
Local account password
When a user logs in using an external identity provider, KeyCloak will create an account in it’s local store.
By default, it is possible for users to set a password on this account and use the user name and the KeyCloak local password to login.
As this bypasses the external identity provider, this may be undesired.
This behavior can be disabled at two places:
Configure > Authentication > Required actions and disable Update password.
When this is disabled, users can no longer set the password on the local KeyCloak account.
Configure > Authentication > Flows > Browser and disable the forms.
When this is disabled, the password screen can no longer be used. Please be aware that this option will also disable all local keycloak accounts just as supervisor.
Forcing external IdP login
What also could be considered is to make the login via an external IdP mandatory in the browser flow by setting the Identity Provider Redirector to required; this way, you cannot authenticate against other sources than your own IdP.
This can be configured by going to:
Configure > Authentication > Browser and configure the Identity Provider Redirector as Required.
Using Planon user federation
It is possible to authenticate using the Planon system as an authentication source. Credentials entered in the KeyCloak user name and password fields are validated against the Planon credential store.
Subject
Description
Local account password
When a user logs in using the Planon user federation, KeyCloak will create an account in it’s local store. By default, it is possible for users to set a password on this account and use the user name and the KeyCloak local password to login. This bypasses the Planon user federation check so this may be undesired.
This can be configured by going to:
Configure > Authentication > Required actions and disable Update password.
When this is disabled, users can no longer set the password on the local KeyCloak account.
KeyCloak local account password
Subject
Description
Password policy
When using the local KeyCloak passwords, it is advised to set a password policy. This can be done in:
Configure > Authentication > Policies > Password policy.
Here, you can add policies for the different aspects of the passwords. Planon recommends setting the password policy in accordance with your organization's security policies.
Brute force protection
Brute force detection will be enabled by default. However, customers can set up their own metrics if desired.
The Brute force detection settings can be found under:
Configure > Realm settings > Security defences > Brute force detection
General settings
Subject
Description
Multi-factor admin
We strongly recommend to set up multi-factor authentication on the admin account. This can be done by:
User name (top right of your screen) > Manage account > Account security > Signing in > Two-factor authentication
Security headers
Customers can set up their own security headers if desired.
The security headers settings can be found under:
Configure > Realm settings > Security defences > Header