REST API Integration
IDshield runs as a separate service with its own separate database in PostgreSQL. This allows business applications written in any programming language to integrate IDshield for its IAM duties, since all accesses are through REST API. We have integrated Go and Java applications with IDshield, and are exploring integrating with PHP.
Enhanced Authorization
IDshield builds a sophisticated authorization layer on top of basic Keycloak to extend its access management capabilities. IDshield does access validation and returns rules and constraints (visibility and limit constraints) which inform the business application that access is granted but with constraints. The business application code then enforces these constraints, say, when fetching data from a DB table.
Secure
IDshield performs one of the most critical operations which a business application depends on: the login authentication operation. This is why all the scrutiny which Keycloak has been subjected to, and which remain unmodified in IDshield, makes the login operation secure. IDshield maintains its own database for credentials, which means that an intruder who gains access to the application database has one more layer of access to cross before she can hit the credentials database. IDshield also conforms to a very thorough set of industry standards for security best practices.
Horizontally Scalable
IDshield, like Keycloak, access its database only for queries most of the time. This makes the system very scalable, because the database can be replicated for horizontal scale-out, and the IDshield service itself can be run on a cluster of containers for distributing the compute load of token validation and new token issue.
Client Libraries
Client libraries are available for IDshield in various programming languages, making integration into business applications error-free and quick. These client libraries internally perform REST calls to the IDshield service as needed, hiding the complexity of these network calls. The developer's job therefore becomes very straightforward, allowing new developer teams to come up to speed rapidly.
Clientside Caching
For typical business applications, the commonest call to IDshield is token validation. When an incoming web service request hits the application, the OAuth2 JWT authentication token which is supplied needs to have its digital signature verified. This verification requires a call to IDshield for each token verification. To improve performance, the IDshield client library maintains a hash of each token and its verification status in a local cache for several minutes, thus short-circuiting the REST call to the IDshield service. Typically, hundreds or thousands of web service requests hit the business application for each user session, all with the same token. This gives rise to a situation where very high cache hit rates are achieved. This also makes IDshield very scalable.
OIDC Standard
IDshield supports OpenID Connect (OIDC) standards for authentication and authorization. IDshield is an OpenID Connect provider which authenticates users and redirects them back to the application with an authorization code.
Standards compliance is a critical necessity for fundamental security-critical building blocks of modern applications, and IDshield has high credibility in this area.
Admin Portal
IDshield offers an administration portal which allows authorized administrators to manage users and their credentials.
This takes away a huge part of boilerplate functionality which all mature business application development teams need to implement, typically by re-inventing, re-designing and re-developing the IAM wheel. IDshield takes away that chore and brings in proven and tested code to make your application more robust.
Every business application requires (a) the management of user accounts, (b) a secure, tested interface for logins and authentication, with rich features, (c) access rights management. This is the basic slot which is filled by identity and authorization management (IAM) products. Remiges IDshield is a strong player in this space.
IDshield is built on top of Keycloak, an industry standard open source IAM system developed by RedHat. All Keycloak features are available in IDshield, and enhanced to meet the needs of large enterprise applications which our team has built. IDshield does not fork the Keycloak source base to modify it.
Keycloak uses industry-standard protocols such as OpenID Connect, OAuth 2.0, and SAML to facilitate secure authentication and authorization. It supports various types of login methods including social login and multi-factor authentication. Keycloak runs as a separate service, and may be run in its own container, making it more secure, reliable, and independent of the business applications which use its services.
IDshield adds additional control features to Keycloak using their SPI (Service Provider Interfaces) to enhance the controls which business applications may apply. These enhanced controls include geo-IP based control over authentication, allowing an application to decide whether login attempts from specific countries will be allowed. IP whitelists for logins are also supported in IDshield. We have found these to be almost universal asks with enterprise applications in the financial services industry.
On the authorisation side of things, IDshield adds scope, visibility and limit constraints to capabilities, which are not available in Keycloak. Keycloak will compare an incoming request with a set of capabilities and respond with a go-no-go response indicating whether the request may be permitted. IDshield has additional features where it will return a qualified response, e.g. “Yes, this MIS report may be accessed, but only for the North Zone”, or “Yes, this voucher may be created, but only if the value is less than US$ 5,000.” These visibility, scope and limit constraints enhance the basic features of Keycloak and provide support for qualified capabilities.
The starting point to read more is on the wiki page of the main repository.
The main repository has the source code for IDshield in Java. (Keycloak is written in Java, hence our work too is in Java.) This includes client libraries, utility functions, etc. IDshield is usable by business applications written in any programming language, since the system runs as a separate service with a REST API.
The UI repository contains the UI code to administer the credentials and user records in the IDshield data store. These use web services which are part of the IDshield service, and whose source code is in the main repository.