Keycloak Guidelines for Configuration

Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.

User registration fields

Information not collected:

• Country: not necessary, as the user will be on a real that

Guidelines

In general, we will setup Keycloak mirroring PSI’s authentication guidelines which can be summarised as detailed below.

PSI’s Password guidelines IMPLEMENTED JUNE 2023

• 8 characters or more

• Never expires

• must include

  • one lower case,

  • one upper case,

    one number and

  • one special character

• Not user name

• Not email

PSI' 2FA IMPLEMENTED JUNE 2023

• Enrolment via FreeOTP, Google or Microsoft authenticator

• valid for 60 days per application/device

  • Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.

2FA optional NOT IMPLEMENTED

• Geo-limit: if IP is > 500 miles from previous login, request 2FA

Email verification IMPLEMENTED JUNE 2023

If a user list is imported, emails can be marked as verified.

If users self-register, they are expected to verify their email by following the link send at the time of account creation.

Phone Verification NOT IMPLEMENTED

If a user list is imported, phones can be marked as verified.

If users self-register, they are expected to verify their phone by entering the SMS sent to them at the time of account creation.