Security

Keycloak with Onelogin OpenID Connect Provider

What will I cover in this post? We will learn how to integrate Keycloak with Onelogin OIDC Provider. Similar to SAML, Keycloak can be configured to use the external OpenID Connect Provider. The configuration steps are very similar to the configuration of SAML Provider described in my previous post, but the configuration simpler that the SAML configuration. Do not forget to follow me on Twitter Configuration Keycloak and Onelogin need to be configured in parallel.

Update Keycloak User Attributes from Onelogin SAML Provider

Update Keycloak User Attributes from Onelogin SAML Provider The post describes how to configure Keycloak and Onelogin to update Keycloak User Attributes from the Onelogin SAML Provider Do not forget to follow me on Twitter Why the User Attributes are empty? In my previous post I have described how to configure the Onelogin SAML Provider. You may be ask yourself: “Why the User Attributes are empty? I have values in Onelogin but the in Keycloak values are empty.

Keycloak with Onelogin SAML Provider

What will I cover in this post? We will learn how to integrate Keycloak with Onelogin SAML Provider. Do not forget to follow me on Twitter Configuration In my previous post I have described how to integrate Keycloak with Okta SAML Provider. The configuration with with Onelogin SAML Provider is very similar. Keycloak and Onelogin need to be configured in parallel. First, you need to add the SAML identity provider in Keycloak.

How can you deliver a secure product?

My presentation on the Application Security Meetup. You will learn what is Security Development Lifecycle (SDL) You will understand why SDL is important You will dive in details of SDL and you will see tips for each SDL phase You will realize how to roll out an SDL in your organization Finally, you will have all skills to deliver a secure product Do not forget to The video recording:

How to reset Two-Factor WebAuth

What will I cover in this post? In my previous post I have described Two-Factor Authentication with WebAuth. But what should you do when a user replaces WebAuthn device? In this post, we will learn how to reset WebAuthn for a specific user. In addition, we will see how to revert the WebAuthn configuration for all users. Reset WebAuthn for a specific user If a user replaces WebAuthn device he /she will not be able to login and will see the following error:

Two-Factor Authentication with Keycloak WebAuth

What will I cover in this post? We will learn how to configure Two-Factor Authentication with Keycloak WebAuth. In this post, I plan on: Explaining what is WebAuth Explaining how to configure WebAuth in Keycloak What is WebAuth? WebAuthn is the standard recommended by FIDO Alliance and W3C. WebAuthn defines a standard web API that gives users new methods to securely authenticate. It can be incorporated into browsers and related web platform infrastructure, in the browser, across multiple sites, and on numerous device types.

Preventing OWASP A4 XML External Entities (XXE) in a better way

XML External Entities (XXE) is a dangerous vulnerability, currently ranked fourth (A4) in the OWASP Top Ten. Resolving this vulnerability should be a high priority for all Java developers. In this presentation, presented by Anat Mazar (https://www.linkedin.com/in/anat-mazar/) and Michael Furman (https://www.linkedin.com/in/furmanmichael/) on the OWASP meetup we will Demonstrate why XXE is so dangerous Show you how this vulnerability is typically resolved – in each and every place in the code that you parse an XML file Show you the better resolution – set a couple of system Java system properties once, and never worry about XXE again.

Secure Communication with a WireGuard VPN

What will I cover in this post? We will learn how to configure a WireGuard Virtual Private Network (VPN) for secure communication between two servers. In this post, I plan on: Explaining what is WireGuard Explaining how to to configure WireGuard What is WireGuard? According to the WireGuard site: WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard communicates via a WireGuard interface.

TLS Communication with Ghostunnel

What will I cover in this post? We will learn how to use ghostunnel for the TLS communication between non-TLS client and server. In this post, I plan on: Explaining what is ghostunnel Explaining how to to configure ghostunnel Explaining advanced security settings What is ghostunnel? The ghostunnel site explains it very well: Ghostunnel is a simple TLS proxy with mutual authentication support for securing non-TLS backend applications.

Simple way to generate a Subject Alternate Name (SAN) certificate

What will I cover in this post? We will learn how to generate the Subject Alternate Name (or SAN) certificate in a simple way. In this post, I plan on: Explaining what is the SAN certificate Explaining how to create the SAN certificate using the Java keytool Explaining how to export the certificate private and public keys using OpenSSL Explaining how to create the Certificate Signing Request (CSR) for the SAN certificate using the Java keytool Do not forget to follow me on Twitter

SameSite cookies - Everything You Need to Know

What will I cover in this post? Google Chrome recently released an update that began enforcing a new cookie policy. The new update affects the SameSite cookie attribute, making it Lax by default. This change will also be enforced by all other major browsers. In this post, I plan on: Describing the SameSite cookie attribute and its settings Explaining the new cookie policy and why it is important Providing some best practices Personally, from a security perspective, I think this is a great policy and that the new changes make the internet a much safer place.

Istio Mutual TLS Demo

What will I cover in the post? You will see how to configure secure service-to-service communication using Istio. Istio Mutual TLS Demo I will show the Istio Mutual TLS Demo that explained in the Istio Example. The demo will show configuration of secure service-to-service communication using Istio. As I have described in my previous post I will use Google Kubernetes Engine (GKE). The Istio installation is very simple: you just need to select “Enable Istio” during the creation of your GKE cluster.

Adding Secure HTTP Headers via Istio Envoy Filter

What will I cover in the post? You will see how to increase the security of your web application using Secure HTTP Headers. Secure HTTP Headers Secure HTTP Headers allow to increase the security of your web application in the very simple way. The recommended Secure HTTP Headers can be found at the OWASP site. Istio Bookinfo Demo application In my previous post I have described how to install the Istio Bookinfo Demo application.

Istio Grafana Demo

What will I cover in the post? You will see how to visualize Istio metrics via Grafana dashboards. Istio add-ons Istio add-ons allow to use advanced Istio features. Istio Grafana add-on Grafana is an open source metric analytics & visualization suite. Grafana add-on allows to you to visualize Istio metrics collected by Prometheus via Grafana dashboards. Istio Bookinfo Demo application and Prometheus add-on In my previous posts I have described how to install the Istio Bookinfo Demo application and Prometheus add-on.

Istio Prometheus Demo

What will I cover in the post? You will see how to query Istio metrics using the Prometheus add-on. Istio add-ons Istio add-ons allow to use advanced Istio features. Istio Prometheus add-on We will start from the Prometheus add-on. Prometheus is an open-source systems monitoring and alerting toolkit. Prometheus add-on allows to you to query Istio metrics. Istio Metrics Istio generates metrics for all service traffic. The partial metrics list is below:

Istio Simple Demo

Couple of personal words … Dear Readers! In the past I posted posts related to the application security and Keycloak. I have learned Istio recently and I will happy to share my knowledge. You will continue to see my Keycloak posts, but you will also enjoy form my DevSecOps posts. Stay tuned! What will I cover in the post? You will understand what is is Istio and then You will deploy a simple demo that show how to use Istio.

Access Keycloak APIs using Two-Factor Authentication

How To Access Keycloak APIs Using Two-Factor Authentication Two-Factor Authentication is the very strong and recommended security control. In my previous post I have described how to configure Two-factor authentication in Keycloak. The short (but important) post describes how to access Keycloak APIs using Two-Factor Authentication. Access Keycloak APIs Using User Name and Password Let’s first access Keycloak APIs Using User Name and Password. According to the Keycloak documentation, you first need to obtain an access token.

Keycloak with Okta OpenID Connect Provider

What will I cover in this post? We will learn how to integrate Keycloak with Okta OIDC Provider. Similar to SAML, Keycloak can be configured to use the external OpenID Connect Provider. The configuration steps are very similar to the configuration of SAML Provider described in my previous post, but the configuration simpler that the SAML configuration. Do not forget to follow me on Twitter Configuration Keycloak and Okta need to be configured in parallel.

Update Keycloak User Attributes from Okta SAML Provider

Update Keycloak User Attributes from Okta SAML Provider The post describes how to configure Keycloak and Okta to update Keycloak User Attributes from the Okta SAML Provider Do not forget to follow me on Twitter Why the User Attributes are empty? In my previous post I have described how to configure the Okta SAML Provider. You may be wondering and want to ask me the question: “Michael, why the User Attributes are empty?

Disabling Two-Factor Authentication

Disabling Two-Factor Authentication The post describes how to disable Two-Factor Authentication in Keycloak. Disabling Two-Factor Authentication for a specific user In my previous post I have described how to configure Two-Factor Authentication. But what should you do when your user lost a mobile device? What should you do when your user uninstalled the Google Authenticator by mistake? You need to disable Two-Factor Authentication for the user. Configuration Open Keycloak admin page, open Users, open the user and go to the Credentials tab.

Keycloak with Okta SAML Provider

What will I cover in this post? We will learn how to integrate Keycloak with Okta SAML Provider. Do not forget to follow me on Twitter Configuration Keycloak and Okta need to be configured in parallel. First, you need to add the SAML identity provider in Keycloak. Then you to add a SAML application in Okta using the Keycloak Redirect URI value. Finally, you need to import the Okta SAML application metadata into the Keycloak Identity Provider.

Simple Keycloak First Login Flow

Simple Identity Brokering First Login Flow The post describes creation of Simple Identity Brokering First Login Flow. What is First Login Flow? The First Login Flow is a workflow that will be used after a user logins the first time to Keycloak from an external Identity Provider . Keycloak provides the First Login Flow out of the box and it described here The provided flow performs a lot of actions.

Keycloak Two-Factor Authentication

What will I cover in this post? We will learn how to configure Two-factor authentication in Keycloak In this post, I plan on: Explaining what is Two-Factor Authentication Explaining what is Keycloak Two-Factor Authentication Explaining how to configure Two-factor authentication in Keycloak Do not forget to follow me on Twitter What is Two-Factor Authentication? According to wikipedia: Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different factors:

Keycloak Password Policy

Keycloak Password Policy The post describes how to configure Password Policy in Keycloak What is a password policy? A Password Policy is the set of restrictions and/or requirements that a user must follow to ensure that their password is strong. Keycloak configuration Open Keycloak admin page, open Authentication, go to the Password Policy tab. Click on the Add policy … to see the list of available password policies. Keycloak documentation related to Password Policies is here

Keycloak Brute Force Protection

Keycloak Brute Force Protection The post describes how to configure Brute Force Protection in Keycloak What is a brute force attack? According to OWASP: “A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works” Keycloak configuration Open Keycloak admin page, open Realm Settings, go to the Security Defenses tab and open the Brute Force Protection tab.