Some people might already noticed, but during last year I setup keycloak for SSO to all services on my private setup. And to tell things as they are: It’s awesome. You open your browser, as always it deleted all cookies. I open my Mastodon instance, click on login, enter my password and click on my YubiKey. Logged in.
I go to my GitLab instance next, click on login, 5 seconds and two redirects later… I’m logged in. Same for Nextcloud. All services one login, all self-hosted. I literally love it. But let me explain a bit what I’m talking about.
What is SSO
SSO stands for Single-Sign-On and is a technique to unify your logins without the need to re-enter your credentials over and over again. Instead you have a login provider or to use the proper term: identity provider, short IdP, that you log in with. This provider knows your password and verifies that you are you. But it also knows additional data like your email address, first and last name, preferred display name and so on.
When an application is set up to integrate with an IdP, the application is able to request information from the IdP as well as asking the IdP to identify you. What happens when you click on the login button the SI-GitLab instance redirects you to SI-Auth, my keycloak instance and IdP, which then checks if you have an active session or not. If you have an active session it answers GitLab with your details and confirms that you are logged in. If not, it’ll ask you to authenticate yourself.
And since this happens with every application that is integrated with the IdP, you only have to login once. It also means the application doesn’t know your password and therefore can’t leak it to an attacker if there is a successful compromise.
“Why self-host it for yourself?”
Well, you may know this feature from “login with Google” or “Login with Facebook”-Buttons. They have one major problem: As soon as you delete your Google or Facebook account, which I recommend anyone, you might lose access to accounts from services you logged into using those buttons. Also I self-host my stuff for privacy reasons (and as a hobby), so why put the most sensitive responsibility into someone else’s hands?
And of course, because I don’t run those services just for myself. I run them for my friends and family that can enjoy the convenience as well. Even you can, when you decide to sign-up on the keycloak instance. Of course, I limit the services that you can use with a fresh sign-up quite a lot. But I hope you can understand that I’m not a gratis hoster for everyone’s data. When you sign-up you get an account that enables you to participate in my GitLab and on my private CodiMD instance. And when you need more, you can for sure reach out to me, but the defaults are quite strict.
How to set it up yourself
For the setup of keycloak itself, check my infrastructure repository and the official keycloak container image page. But be warned, it’s a quite heavy server and will take up some RAM for “just an authentication service”.
It also requires some more knowledge when you want to setup WebAuthn and similar advanced techniques on it. But thanks to the newest version, it’s possible and the docs are great.
Running keycloak will require some work. It’ll not reduce the amount of accounts that you, as an admin, have. You still need to be able to login to services when SAML or OIDC break. But when you have friends and family on your setup, it saves them
n-1 accounts, where
n is the number of your services that are integrated with keycloak.
And for yourself as admin, it at least saves you a lot of clicking around in your password manager. One click and you are done. And I noticed that nowadays I’m already getting frustrated when seeing username and password fields even while using a password manager. Why can’t everything just be integrated with my wonderful keycloak at home? So yes, to me home is where SSO works.