Learn how to connect IBM Cloud App ID to your Red Hat SSO or Keycloak instance.

Setting up application security can be complicated. For most developers, it can be one of the hardest parts of creating an app. How can you be sure that you are securely storing your users’ information? How can you be sure your system cannot be infiltrated? How do you manage access controls? How do you ensure that you address any and all vulnerabilities? What if your application runs on different cloud providers with completely different security systems? 

In most cases, developers prefer to focus on delivering the business value while leaving any security aspects to experts and specialized products. There are quite a few well-known and trusted Identity and Access Management products on the market that you might already be familiar with, but today I’m going to focus on two of them: IBM Cloud App ID and Red Hat SSO (which is based on the open source Keycloak project).

What’s the difference between App ID and Red Hat SSO?

Now, before I dive into technical details, let’s try to understand what those two products are. Enterprises have traditionally deployed IAM software products to manage identity and access. Red Hat SSO is a software package that enterprises can manage and deploy on their own. Increasingly, developers and enterprises want to consume identity and access as-a-service. App ID is offered as-a-service and specifically targets developers who don’t need (or want) to know anything about security protocols. The service allows for them to consume all of the security capabilities while the operational aspects are handled by the IBM Cloud Platform

Another major benefit of App ID is the level of integration with other IBM Cloud Services that creates a seamless experience for easy protection of cloud-native applications, including IBM Cloud Kubernetes Service, Cloud Functions, Cloud Foundry, API Connect, Activity Tracker, and more. 

Configuring App ID to use an existing Red Hat SSO or Keycloak instance

So, the question that brought you to this blog: What if I already have an existing Red Hat SSO or Keycloak instance that handles user authentication but I still want all of the benefits that come from the integrated IBM Cloud experience? 

The short answer—no problem! You can connect IBM Cloud App ID to your Red Hat SSO or Keycloak instance.

Check out the following video tutorial and instructions to learn how to maximize the benefits of both options with zero code changes or redeploys.

Protecting your cloud applications with App ID and existing Keycloak user repository


Protecting your cloud applications with App ID and existing Keycloak user repository

Recap of the tutorial steps

  1. Be sure that you have Red Hat SSO or Keycloak running and accessible via HTTPS. We want our connection to be secure.
  2. Start the configuration on the App ID side:
    1. Create an instance of IBM Cloud App ID or use an existing one. Pick SAML 2.0 Federation under the Identity Providers menu.
    2. Give your provider a name, for example “Enterprise Login” or “Red Hat SSO.”
    3. Click Download SAML Metadata file.
  3. Moving to the Red Hat SSO/Keycloak Admin UI:
    1. Create a new realm, or use an existing one.
    2. Open the Clients menu.
    3. Create a new Client. Import the XML file that you downloaded from App ID in step 2.3. 
    4. In the settings screen for your new SAML connection, set the Client signature required setting to OFF
    5. Save the Client settings.
    6. Open the Realm Settings menu.
    7. Click SAML 2.0 Identity Provider Metadata.
    8. Note the entityID property of the EntityDescriptior element.
    9. Note the value of the <dsig:X509Certificate> under <KeyDescriptor>.
    10. Note the Location property of the SingleSignOnService element with Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”.

  4. Back in the App ID Dashboard:
    1. Copy the value for entityID that you got in step 3.8 into the entityID box.
    2. Copy the value for Location that you got in step 3.10 into the Sign-in URL box.
    3. Copy the value for X509Certificate you got in step 3.9 into the Primary Certificate box.
    4. Save your settings.
    5. Click TEST. You should be able to log in through Red Hat SSO/Keycloak and see access and identity tokens generated for you by App ID. 

That’s it, you’re done! App ID is now integrated with your Red Hat SSO/Keycloak, so you can start enjoying the superb experience of easily adding user authentication to your app, protecting applications running on Kubernetes or OpenShift clusters, getting administrative and authentication events in Activity Tracker, and more!

Feedback and resources

We’d love to hear from you with feedback and questions!

  • Reach out directly to the development team on Slack.
  • If you have technical questions about App ID, post your question on Stack Overflow and tag your question with ibm-appid.
  • For questions about the service and getting started instructions, use the IBM Developer Answers forum. Include the appid tag.
  • Open a support ticket in the IBM Cloud menu.

To learn more about the service and getting started, check out the following links:

More from Cloud

Using advanced scan settings in the IBM Cloud Security and Compliance Center

5 min read - Customers and users want the ability to schedule scans at the timing of their choice and receive alerts when issues arise, and we’re happy to make a few announcements in this area today: Scan frequency: Until recently, the IBM Cloud® Security and Compliance Center would scan resources every 24 hours, by default, on all of the attachments in an account. With this release, users can continue to run daily scans—which is the recommended option—but they also have the option for…

5 min read

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read

IBM Cloud Databases for Elasticsearch End of Life and pricing changes

2 min read - As part of our partnership with Elastic, IBM is announcing the release of a new version of IBM Cloud Databases for Elasticsearch. We are excited to bring you an enhanced offering of our enterprise-ready, fully managed Elasticsearch. Our partnership with Elastic means that we will be able to offer more, richer functionality and world-class levels of support. The release of version 7.17 of our managed database service will include support for additional functionality, including things like Role Based Access Control…

2 min read

Connected products at the edge

6 min read - There are many overlapping business usage scenarios involving both the disciplines of the Internet of Things (IoT) and edge computing. But there is one very practical and promising use case that has been commonly deployed without many people thinking about it: connected products. This use case involves devices and equipment embedded with sensors, software and connectivity that exchange data with other products, operators or environments in real-time. In this blog post, we will look at the frequently overlooked phenomenon of…

6 min read