Identity and authorisation management

Tiny business people reading list of rules. Man and woman making checklist for control of companys management on huge clipboard flat vector illustration. Guidance concept

Every business application requires (a) the management of user accounts, (b) a secure, tested interface for logins and authentication, with rich features, (c)  access rights management. This is the basic slot which is filled by identity and authorization management (IAM) products. Remiges IDshield is a strong player in this space.

IDshield is built on top of Keycloak, an industry standard open source IAM system developed by RedHat. All Keycloak features are available in IDshield, and enhanced to meet the needs of large enterprise applications which our team has built. IDshield does not fork the Keycloak source base to modify it.

Keycloak uses industry-standard protocols such as OpenID Connect, OAuth 2.0, and SAML to facilitate secure authentication and authorization. It supports various types of login methods including social login and multi-factor authentication. Keycloak runs as a separate service, and may be run in its own container, making it more secure, reliable, and independent of the business applications which use its services.

IDshield adds additional control features to Keycloak using their SPI (Service Provider Interfaces) to enhance the controls which business applications may apply. These enhanced controls include geo-IP based control over authentication, allowing an application to decide whether login attempts from specific countries will be allowed. IP whitelists for logins are also supported in IDshield. We have found these to be almost universal asks with enterprise applications in the financial services industry.

On the authorisation side of things, IDshield adds scope, visibility and limit constraints to capabilities, which are not available in Keycloak. Keycloak will compare an incoming request with a set of capabilities and respond with a go-no-go response indicating whether the request may be permitted. IDshield has additional features where it will return a qualified response, e.g. “Yes, this MIS report may be accessed, but only for the North Zone”, or “Yes, this voucher may be created, but only if the value is less than US$ 5,000.” These visibility, scope and limit constraints enhance the basic features of Keycloak and provide support for qualified capabilities.

Technical Details

Runs as a service, with REST API integration with business applications. This allows easy integration with business applications written in any programming language.

Enhanced authorisation features (qualified capability support) requires client libraries. Currently, such libraries are provided in Go and Java.

Uses its own relational database for all credential and configuration storage, isolating the data store from the business application, enhancing security.

May be scaled up by running multiple instances of the service, thus allowing horizontal scaleout for very large user loads.

Authentication involves JWT token verification for each web service call, which may generate some load on the IDshield service. Client-side caching libraries are provided to minimise such calls to the service, dramatically improving scalability. This library is linked into the application server or the application code, and uses local caching inside the process memory.