KeyCloak secure configuration considerations
This section lists a number of security considerations that can enhance your security level when using Planon Single Sign On (SSO).
 | Please be aware that these configuration settings are considerations that highly depend on the customers' requirements, their Identity Provider and the security policies within the customers' organization. Only IT staff that is trained in these configurations should deploy these considerations or contact Planon for consultancy. |
Authentication
External identity provider
When delegating authentication to an external identity provider (IdP) you should consider the following:
Subject | Description |
|---|---|
Local account password | When a user logs in using an external identity provider, KeyCloak will create an account in it’s local store. By default, it is possible for users to set a password on this account and use the user name and the KeyCloak local password to login. As this bypasses the external identity provider, this may be undesired. This behavior can be disabled at two places: • Configure > Authentication > Required actions and disable Update password. When this is disabled, users can no longer set the password on the local KeyCloak account. • Configure > Authentication > Flows > Browser and disable the forms. When this is disabled, the password screen can no longer be used. Please be aware that this option will also disable all local keycloak accounts just as supervisor. |
Forcing external IdP login | What also could be considered is to make the login via an external IdP mandatory in the browser flow by setting the Identity Provider Redirector to required; this way, you cannot authenticate against other sources than your own IdP. This can be configured by going to: Configure > Authentication > Browser and configure the Identity Provider Redirector as Required. |
Using Planon user federation
It is possible to authenticate using the Planon system as an authentication source. Credentials entered in the KeyCloak user name and password fields are validated against the Planon credential store.
Subject | Description |
|---|---|
Local account password | When a user logs in using the Planon user federation, KeyCloak will create an account in it’s local store. By default, it is possible for users to set a password on this account and use the user name and the KeyCloak local password to login. This bypasses the Planon user federation check so this may be undesired. This can be configured by going to: Configure > Authentication > Required actions and disable Update password. When this is disabled, users can no longer set the password on the local KeyCloak account. |
KeyCloak local account password
Subject | Description |
|---|---|
Password policy | When using the local KeyCloak passwords, it is advised to set a password policy. This can be done in: Configure > Authentication > Policies > Password policy. Here, you can add policies for the different aspects of the passwords. Planon recommends setting the password policy in accordance with your organization's security policies. |
Brute force protection | Brute force detection will be enabled by default. However, customers can set up their own metrics if desired. The Brute force detection settings can be found under: Configure > Realm settings > Security defences > Brute force detection |
General settings
Subject | Description |
|---|---|
Multi-factor admin | We strongly recommend to set up multi-factor authentication on the admin account. This can be done by: User name (top right of your screen) > Manage account > Account security > Signing in > Two-factor authentication |
Security headers | Customers can set up their own security headers if desired. The security headers settings can be found under: Configure > Realm settings > Security defences > Header |