Keycloak – SSO security best practices
I am using Keycloak as OIDC provider for several web applications. I have approximately 50 users and 5 applications. Some applications contain sensitive data and are used only by the company managers. Other applications are not so critical and are used by everyone, including day-to-day workers with little computer skills.
I would like to reach similar login experience to e.g. Google, which makes login process very smooth if you are using your "authenticated web browser", and at the same time it requires extra steps when it is accessed from an unknown browser/device.
Here are my questions I am currently dealing with:
I would like to enforce 2FA for applications containing sensitive data, but not for all applications. Would you recommend me to:
- Enforce 2FA on user basis (i.e. the user either has 2FA enabled for all applications, or not).
- Enforce 2FA on application basis (i.e. some applications require 2FA, no matter who is using them).
Since we are in the Active Directory environment, would you recommend me to enable the Kerberos authentication as an alternative to the password login?
Would you recommend me to enable the "Remember me" option in the login form? Currently, I have this option disabled, which made the users to use the password managers in their web browsers. Isn't the "Remember me" option safer than a password stored in the browser?
Would you recommend me to use Keycloak to also protect the webmail application? It would be nice to have one password fewer, but when the user looses his/her credentials, he/she will not be able to recover them via email (protected by the same credentials).
