[twexler]

I'm not sure Keycloak is a viable alternative for most businesses. Security software as a whole tends to be _extremely_ difficult to run securely and at scale.

Honestly, most of these companies would be better off using Google, Azure or AWS' SSO-as-a-Service product (if that's what you're hoping to get out of Keycloak).

That's not to say that I don't appreciate that there's an open-source alternative out there, however.

[toomuchtodo]

I have a feeling Cloudflare is going to be a new entrant into this space in the next 6-12 months.

[parkerhiggins]

I’ve got a similar feeling and I’m witnessing it through their Zero Trust product. All the rails for SSO/SAML are coming together.

Interesting enough is it looks like it will be provider agnostic.

You could use the “raw” saml endpoint provided by the service, a Google Identity endpoint, Okta provided saml endpoint, shibboleth on-prep protected by Tunnels, jumpcloud etc.

There’s even an saml/SSO preview of what data will be sent to the application upon authZ by the Identity Provider. There’s configuration rules already in place (AuthN) that can be applied to Organizational Units based upon the user’s metadata.

It’s a pretty clear bet at this point that Cloudflare will be making an entrance. Considering they used Okta internally performing a rapid investigation of the breach, (1) is the right thing to do as a service provider/rails to the internet (2) is strong product marketing for their future product (3) can be used to gain internal support for replacing Okta with their own product

[twexler]

One can only hope.

[toomuchtodo]

https://news.ycombinator.com/item?id=30769099

[mooreds]

For those too lazy to click through, this comment is the CTO of cloudflare asking what features people would like in response to a comment: "Matthew Prince has a lot of tweets today about how he might have to begrudgingly enter the IAM space given how disappointed he is, how serious are you guys about this? "

[mschuster91]

> Honestly, most of these companies would be better off using Google, Azure or AWS' SSO-as-a-Service product (if that's what you're hoping to get out of Keycloak).

The thing is, your Keycloak instance is not going to matter to any hacker, particularly if it's inside a VPN and not reachable from the Internet - and while we're at it, fuck zero-trust because it is essentially the same level of stupidity as using Okta, you're once again putting all your eggs into the basket of whatever provider you choose.

Your SSO-as-a-service provider however? They're the juiciest target out there that is. Everyone from secret services over enemy nation states to your average cyber-criminal is looking to get access there. And as we've seen, all it takes is a couple teenagers and a couple thousand dollars.

Good network design costs a lot of money to set up, particularly to limit the scope of an attack (e.g. because the VPN software had a vulnerability), but it's orders of magnitude better in the long run than to outsource core IT to some incompetent fools with subcontractors.

[twexler]

> The thing is, your Keycloak instance is not going to matter to any hacker, particularly if it's inside a VPN and not reachable from the Internet.

This doesn't make it particularly usable as SSO...

>Good network design costs a lot of money to set up, particularly to limit the scope of an attack (e.g. because the VPN software had a vulnerability), but it's orders of magnitude better in the long run than to outsource core IT to some incompetent fools with subcontractors.

This is exactly my point. Most businesses not not have the resources to maintain this level of infrastructure.

Additionally, I'm personally of the opinion that walled gardens with VPN entry points are a particularly good choice for modern businesses these days. Even the White House OMB is pushing the beyondcorp model in their recent recommendations for ZT.

[mschuster91]

> This doesn't make it particularly usable as SSO...

Why? Your core IT should not be visible from outside a VPN anyway, and if you're in a VPN you can use your Keycloak or whatever SAML system as you wish.

> Most businesses not not have the resources to maintain this level of infrastructure.

And right here is the problem: too many businesses see IT simply as a cost center instead of as what it is: a vital part of the business. You can't even run a grocery store without computers any more, and even a grocery store is a juicy target for criminals given that credit card data is processed there (not to mention employment records that can be used for identity impersonation).

People simply go and attach whatever bullshit devices from HVAC controllers to crappy 10$ IoT surveillance cameras fresh off of Alibaba on their core network and in some cases even "convenience wifi for customers", and then they wonder why either hackers or the feds come knocking. Jesus.

[agilob]

There is Amazon KeyCloak, might meets someones needs https://www.amazonaws.cn/en/solutions/keycloak-on-aws/