WinCC OA User Interface Authentication by Using Keycloak
Keycloak is an open-source identity and access management platform that helps organizations secure their applications and services. It acts as a central authentication server, allowing users to log in once and access multiple applications without needing to re-authenticate. Keycloak is widely used to implement single sign-on (SSO), manage user identities, and enforce security policies across web, mobile, and cloud-based environments.
Designed for flexibility, Keycloak supports industry-standard authentication protocols such as OpenID Connect (OIDC) and SAML. This makes it suitable for integrating with a wide range of applications and services, whether they are custom-built or third-party. Keycloak enables administrators to centrally manage users, roles, groups, and authentication flows, while developers benefit from streamlined integration and robust security features. Common use cases include securing enterprise applications, enabling social login, and supporting multi-tenancy through the use of realms.
Keycloak also provides advanced features such as customizable login pages, user self-service, and support for strong authentication methods like Multi-Factor Authentication (MFA). With MFA, organizations can require users to provide an additional verification step, such as a one-time password (OTP), to enhance security beyond the standard username and password.
This introduction offers a high-level overview of Keycloak's role in authentication and user management. The following sections outline the basic steps for configuring Keycloak and enabling MFA, but do not cover every possible feature or scenario. For detailed, step-by-step instructions, see the dedicated task topics linked below.
Keycloak Base Configuration
To use Keycloak as an authentication provider, you must first set up a Keycloak server, create a realm, configure clients, and add users. This base configuration enables your application to authenticate users via OIDC or SAML.
For a step-by-step guide to setting up Keycloak for OIDC authentication, see Set Up Keycloak for OIDC Authentication (Base Configuration).
Configuring OIDC Authentication for Your Project
Once Keycloak is set up, you need to configure your project to use Keycloak as the OIDC Identity Provider. This involves editing your project configuration file to specify the authentication type, realm, client ID, and OIDC endpoints. These settings ensure that your application can communicate securely with Keycloak for user authentication.
For detailed instructions on configuring OIDC authentication for your project, see Configuring OIDC Authentication for WinCC OA Project.
Multi-Factor Authentication (MFA) in Keycloak
Keycloak supports Multi-Factor Authentication (MFA) to provide an additional layer of security beyond username and password. MFA can be configured by administrators to require users to register and use a second authentication factor, such as a one-time password (OTP) generated by an authenticator app.
Administrators are responsible for enabling and configuring MFA policies in the Keycloak administration console. End users must then register and activate MFA for their own accounts as required.
For detailed instructions on configuring MFA as an administrator, see Configuring Multi-Factor Authentication (MFA) as an Administrator in Keycloak.
Setting Up MFA as an End User
After administrators have enabled MFA, end users must complete the setup process for their own accounts. This typically involves logging in, registering an authenticator app, and verifying the second factor.
For a step-by-step guide for end users, see Setting up Multi-Factor Authentication (MFA) as a User.