Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.

On this page

Definitions

Realm (in Keycloak)

A Keycloak realm is an isolated management space that maintains a set of users, credentials, roles, and groups. By default, Keycloak has the master realm, whose sole purpose is to create and manage other realms in the system. Additional realms need to be created for application-based use.

User Registration Fields

The list below is to be setup be Keycloak realm. We recommend a minimum set of fields to be may mandatory. As per the needs of the projects, realms can add extra fields, following the recommendations below/

Information not collected:

• Country: not necessary, as the user will be on a realm that represent that country

Gender

if collection gender, consider a 3rd option for ‘do not with to disclose’

Username

By realm - Keycloak enforces uniqueness

A combination of first name and last name can be used, but must be consistent across the realm accounts. Possible patterns include

• First Name + “.” + Last Name (rodolfo.melia)

• Initial First Name + “.” + Last Name (r.melia)

• Initial First Name + Last Name (rmelia)

Username verification

• Customization of message By Realm if username is not available - possible, part of the Realm Theme

Email

• Expected for all users. Keycloak will enforce uniqueness within the Realm.

• For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validation.

• For manually created account or imported accounts, email can be set to ‘verified’

Email verification
implemented June 2023

If a user self-register, he/she is expected to verify his/her email by following the link sent to his/her inbox.

Phone Verification
NOT IMPLEMENTED

If a user list is imported, phones can be marked as verified.

If users self-register, they are expected to verify their phone by entering the SMS sent to them at the time of account creation.

Self Registration prototyped Aug 2023

• Username: pre-populate based on the selected combination (see username section)

• Validation: Will display an error is username is taken (or if possible as a number: rodolfo.melia1)

• email account will need to be validated (see email section)

Authentication Guidelines

In general, we will setup Keycloak mirroring PSI’s authentication policies, which are already covered on the guidelines below.

Password

Password complexity implemented on june 2023

• 8 characters or more

• Never expires

• must include

  • one lower case,

  • one upper case,

    one number and

  • one special character

• Not user name

• Not email

• Cannot reused last 5 password

Password expiration

For realms with 2FA: we don’t recommend to set an expiry date for password - there is no need to ask users to change their password if 2FA is enforced.

For realms without 2FA: every 60 days

Password recovery

always enabled (email recovery)

2FA
implemented June 2023

• Enrolment via FreeOTP, Google or Microsoft authenticator

• valid for 30 days per application/device

  • Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.

2FA geo-triggering NOT IMPLEMENTED

• Geo-limit: if IP is > 500 miles from previous login, request 2FA

Token validity NOT IMPLEMENTED

Session values

- Online - 48 hrs

- Offline - 7 days

Account lockout IMPLEMENTED early aug 2023

• after 3 attempts

• Wait increments of 1m, up to 15m

• auto-reset: 12 hrs.

Account Expiration Date NOT available in keycloak

If required, an account can be schedule to expire on a given date. This is used for consultants on short term contracts.

Possible workaround:

• Custom field with desired expiration date

• A custom script could disable accounts passed the expiration date