Skip to content
Unicorn Delivery Service Unicorn Delivery Service

Identity and Authorization

These guides walk platform engineers through common identity and authorization tasks in UDS Core. Each guide covers a single goal with step-by-step instructions.

For background on how Keycloak, Authservice, and SSO work together, see Identity & Authorization concepts.

Guides

Section titled “Guides”
Protect non-OIDC apps with SSO Add SSO protection to applications that have no native OIDC support.
Enforce group-based access controls Restrict application access to users in specific Keycloak groups using the `Package` CR.
Configure Keycloak authentication methods Enable or disable username/password, X.509/CAC, WebAuthn, OTP, and social login via bundle overrides.
Connect Azure AD as an identity provider Configure Azure Entra ID as a SAML IdP so users authenticate via Azure instead of local Keycloak accounts.
Configure Google SAML as an identity provider Connect Google SAML using realmInitEnv bundle overrides, with no admin UI required.
Configure Keycloak login policies Set session timeouts, concurrent session limits, and logout behavior via bundle overrides.
Configure Keycloak HTTP retries Enable and tune retry behavior for Keycloak outbound HTTP requests to external services.
Configure the CA truststore Replace the default DoD CA bundle with a custom certificate authority for X.509/CAC authentication.
Configure service account clients Set up machine-to-machine authentication using the OAuth 2.0 Client Credentials Grant.
Configure OAuth 2.0 device flow Enable device authorization for CLI tools and headless apps that cannot use a browser redirect.
Configure Keycloak account lockout Set temporary and permanent lockout thresholds for brute-force protection.
Customize Keycloak login page branding Replace the default logos, background, and Terms & Conditions content via bundle overrides and ConfigMaps.
Build a custom Keycloak configuration image Build, publish, and deploy a custom configuration image to UDS Core for theme or truststore changes.
Configure user accounts and security policies Set password complexity, enable email verification, and extend security hardening allow lists via bundle overrides.
Manage Keycloak with OpenTofu Enable the built-in OpenTofu client and use it to programmatically manage Keycloak resources.
Upgrade to FIPS 140-2 mode Migrate an existing non-FIPS deployment to FIPS 140-2 Strict Mode before upgrading UDS Core.
Configure CRL-based certificate revocation in an airgap Load CRL files into Keycloak via an OCI data image so X.509/CAC revocation checks work without OCSP access.
Register and customize SSO clients Register native OIDC or SAML clients, customize secrets, add protocol mappers, and configure client attributes.
Configure Keycloak notifications and alerts Enable Prometheus alerting rules so Keycloak realm, user, and admin changes trigger Alertmanager notifications.
Cookie Settings Privacy Policy