Keycloak, Janssen, Gluu: integration roadmap

by Michael Schwartz, CEO of Gluu

The recent announcement that Keycloak is joining the CNCF as an incubating project was welcome news!!! It resolved two important questions. How would Red Hat transfer governance of the project? Who owns the Keycloak trademark? Consequently, Gluu is working to integrate Keycloak into both the Janssen Project and the commercial Gluu Flex distribution. 

You may be wondering if Jans Auth Server and Keycloak are both identity providers, how do they connect?  And why are we doing this? 

The answer is that there is room in the Janssen Project for lots of identity tools. While Jans Auth Server currently provides a lot of core functionality, other components are also important, like the FIDO and SCIM servers.  The modular Jans Config API and tools provide a single API management plane for all the components.  And finally, Janssen Project includes a setup script that bootstraps new deployments and cloud native assets like Helm charts and a Terraform provider.

At Gluu, we realize that no one open source IDP will rule them all. There are lots of different IDPs that were written to solve specific problems. People are still writing new open source identity providers, like Zitadel.  It would be cool if there was a Rust IDP (maybe one day at the Janssen Project?) Janssen Auth Server was designed for FIPS, high concurrency, multi-datacenter, database agnostic, auto-scaling deployments… customizable with reusable low code technology. There is no way we could have done that, and solved the myriad of other design objectives that various open source IDPs pursue.  Keycloak, is a “complete, ready-to-run IAM service in a single lightweight container image.” It supports SAML and “Realms”–features primarily required for enterprise workforce applications and access control, that some in the Janssen community want.

Plus Keycloak users are our kind of people–they believe that enterprise IAM infrastructure should leverage code developed through an open source community. In other words… the enlightened.  We want to create a bridge for collaboration.

There are seven integrations we’re undertaking to leverage the new capabilities from KeyCloak

  1. Add Keycloak to Jans Setup, as an optional component
  2. Write a Keycloak authentication provider to achieve SSO between Jans Auth Server and Keycloak client
  3. Update Cache Refresh to sync Keycloak database
  4. Add a Jans Config API endpoint to manage SAML Trust Relations and attribute release policies in Keycloak
  5. Add SAML trust relationship management in the Jans Text UI and command line interface
  6. Add SAML trust relationship management in the Gluu Flex Admin UI
  7. Add Agama Engine support directly into Keycloak
 
Hopefully, we’ll see an early release by the end of June that covers at least the first four of these items.