Introduction

In the realm of cybersecurity, Single Sign-On (SSO) is not just a convenience but a foundational element of robust security strategies. As digital threats evolve, the urgency to update and secure SSO implementations becomes critical. This post delves into the essential role of SSO, my experience upgrading an existing Keycloak deployment, and the significance of Multi-Factor Authentication (MFA) in enhancing security frameworks.

What is Keycloak?

For those that may not know, Keycloak is an open-source Identity and Access Management (IAM) solution designed by Red Hat to simplify the complex aspects of securing applications and services. It stands out as a premier choice for implementing Single Sign-On (SSO) due to its comprehensive feature set that supports a wide range of authentication mechanisms, user federation, and identity providers. Keycloak allows developers and organizations to offload their authentication and authorization responsibilities securely, enabling them to focus on their core business functionalities. With its ability to integrate seamlessly into various environments and support for standards such as OpenID Connect, OAuth 2.0, and SAML 2.0, Keycloak offers a versatile and scalable solution for managing user identities across multiple applications. Its robustness, coupled with a user-friendly interface for administrators and end-users, makes Keycloak a great option for those looking to implement SSO, enhancing user experience while maintaining high security and compliance standards.

There are other solutions as well, such as Authelia, Gluu, Authentik, and Zitadel. I just haven’t messed around with them, and deployed Keycloak in late 2022.

The Challenge of Upgrading

The journey to bolster security began with my existing deployment of Keycloak, which needed an upgrade from version 21.1.1 to 23.0.6. This upgrade was critical not only for accessing new features but also for addressing security vulnerabilities that could be exploited. Since I use my SSO for authentication to my network resources that are exposed to the greater internet, it serves at the gateway into self-hosted services. Now, there are multiple layers of defense, so things are not just announcing themselves to the world, but in the even that this critical piece of infrastructure is compromised, the other defenses are prone to compromise as well. Typically, with this deployment being a docker image, upgrading is a breeze. However, because of the version jumps that I was undertaking, other core technologies changed, namely, the underlying database application. As such, the upgrade process was compounded by the necessity of first upgrading PostgreSQL from version 15 to 16, a task made manageable by leveraging and following a detailed guide by Thomas Bandt on Upgrading PostgreSQL.

Upgrade Process: A Step-by-Step Account

The upgrade was meticulous and required a precise sequence of steps to ensure data integrity and system functionality were maintained:

1. Snapshot the VM: Since this host is on my VMware Cluster, I took a snapshot of the Docker Host, so that in the even that I was unsuccessful, I could rollback to a known good configuration.
2. Backup Database: Next, utilizing Portainer, I launched a console into the docker container and executed the command pg_dumpall -U postgres > $location/upgrade_backup.sql to create a comprehensive backup of the PostgreSQL database.
3. Server Shutdown: The PostgreSQL docker container was then stopped to prepare for the upgrade process.
4. Server Upgrade: The next step was to change to the latest version of PostgreSQL in the Docker-Compose file, mount a new, blank database volume, and start the server.
5. Transfer Backup File: I then copied the backup SQL file to the newly created Docker volume with cp $location/upgrade_backup.sql /var/lib/docker/volume/path_to_new_postgresql_data/ to ensure it was accessible. This was done on the Docker Host, since that is where the ephemeral data is held.
6. Restore Database: Launching a console into the PostgreSQL server via Portainer, I imported the SQL data using cat $location/upgrade_backup.sql | psql -U postgres.
7. Restart PostgreSQL Server: With the backup securely in place and imported, the PostgreSQL docker container was restarted for good measure and validation (not necessarily required).
8. System Reboots: Following the data import, both the PostgreSQL server and the Keycloak web server were rebooted to finalize the upgrade.
9. Validation: Logging in with existing credentials was the moment of truth, confirming the successful import and system upgrade.
10. Cleanup: Post-validation, the PostgreSQL dump file was securely removed with rm -rf $location/upgrade_backup.sql to prevent any potential security risks.

Of note, I also had to make some configuration changes to my Keycloak instance. With the new version, there were some required variables since I use a proxy to secure traffic to and from my Keycloak server. This was simple to update, just a few additional environment variables within my Docker-Compose file in Portainer. The Bitnami Keycloak Docker Image has excellent breakdowns of the flags and values you should use. I also want to give a shoutout to how amazing the world has become with the use of AI. No longer am I required to search for article and post after post; I simply explained what was happening, and Microsoft Copilot (Bing Chat) gave me a complete list of troubleshooting for what I was experiencing.

Expanding SSO in a Homelab Environment

Implementing SSO in a homelab setup goes beyond testing; it’s about creating a microcosm of an enterprise security environment. This setup allows for rigorous testing of security policies and practices in a controlled, scalable manner. It demonstrates the practicality and scalability of SSO solutions like Keycloak for securing enterprise applications, even within community editions, providing a hands-on approach to understanding and implementing security measures effectively, not to mention taking your security to the next level.

Elevating MFA Security

The drive to upgrade was also motivated by a desire to enhance MFA security measures. In the digital age, Multi-Factor Authentication (MFA) has become a cornerstone of cybersecurity. MFA requires users to provide two or more verification factors to gain access to resources, such as digital platforms, applications, or networks. Transitioning to more secure MFA methods, such as Hardware Keys and PassKeys, represents a significant leap forward in securing user identities and access controls. This method significantly enhances security by adding layers of defense, making unauthorized access much harder for attackers; it is also critical in an era where traditional MFA methods are becoming increasingly vulnerable to compromise.

Understanding MFA and Its Importance

MFA is crucial for several reasons. Firstly, it mitigates the risk of compromised passwords, which remain a common attack vector. By requiring additional verification, MFA ensures that stolen credentials alone are not enough to breach accounts. It protects against phishing, social engineering, and brute force attacks, safeguarding sensitive data and user identities.

The Evolution to Hardware Keys and Passkeys

Hardware Keys are physical devices used for authentication. They can connect to a computer or mobile device via USB, NFC, or Bluetooth, providing a physical form of security that is resistant to remote hacking attempts. Hardware keys support protocols like FIDO2, making them highly secure options for MFA. Such hardware keys can be purchased from many companies, but I prefer Yubico’s Yubikeys for my hardware key of choice. They are sturdy and very simple to setup, and they come in all shapes and sizes!

Passkeys, on the other hand, are a newer form of user authentication. They replace traditional passwords with cryptographic key pairs—public and private. The private key is stored securely on the user’s device, while the public key is stored on the server. Authentication occurs seamlessly, often with just a biometric scan or device PIN, eliminating the need for users to remember complex passwords. The implementation of this technology into our mobile devices and password managers is making easier than ever to adopt this new technology; the key…pun intended…is to make sure you activate this feature on supported websites and applications.

Why Hardware Keys and Passkeys Represent the Next Security Evolution

Hardware keys and Passkeys are considered the next evolution in securing accounts for several reasons. They offer a level of security that is significantly higher than traditional methods, such as SMS-based or app-generated codes. Hardware keys, being physical devices, are not susceptible to remote phishing or man-in-the-middle attacks. Similarly, Passkeys, leveraging biometric and device-based verification, offer a user-friendly yet highly secure authentication method that reduces the reliance on easily compromised or forgotten passwords.

These technologies also align with the broader industry move towards passwordless authentication, which aims to enhance security while improving user experience. As cybersecurity threats evolve, adopting these advanced MFA methods becomes crucial for organizations and individuals alike to protect against unauthorized access and maintain the integrity of digital identities.

Conclusion

Moral of the story: KEEP CRITICAL APPLICATIONS UPDATED! Or suffer extended downtime and potential data loss due to incompatibilities. But in reality, upgrading Keycloak and PostgreSQL in this instance was a nuanced journey that highlighted the intricate balance between maintaining operational continuity and enhancing security measures. This experience underscores the importance of proactive security upgrades and the adoption of advanced security practices. Through detailed planning, execution, and validation, we can significantly enhance the security and functionality of SSO systems, making them more resilient against evolving digital threats.

By sharing this journey, I aim to encourage others to assess and upgrade their security systems, emphasizing the critical role of advanced MFA technologies in creating a more secure digital world.