Seamlessly into the future: introduction of the open source solution Keycloak as an identity provider for the customer portal
More independence and broader technological possibilities: With this objective in mind, ewb commissioned us to replace the proprietary identity provider (IdP) previously used for the customer portal with the open source solution “Keycloak”. The IdP contains several thousand customer logins and should also support social logins from Google and SwissID in the future.
THE CHALLENGES
The requirements for the new identity provider were both functional and design-related: 2-factor authentication via SMS was to be introduced, Google and SwissID were to be offered as social logins and the user interface was to be adapted to the ewb design.
In addition to the setup of the new Keycloak instance, the migration of all existing user accounts of the ewb customer portal also had to be realized. Authentication and authorization had to be integrated into the ewb customer portal “p360” using Keycloak.
THE CHALLENGES
The requirements for the new identity provider were both functional and design-related: 2-factor authentication via SMS was to be introduced, Google and SwissID were to be offered as social logins and the user interface was to be adapted to the ewb design.
In addition to the setup of the new Keycloak instance, the migration of all existing user accounts of the ewb customer portal also had to be realized. Authentication and authorization had to be integrated into the ewb customer portal “p360” using Keycloak.
OUR APPROACH
In order to ensure rapid and practical progress, we opted for a sustainable solution: As part of an MVP approach, we first created a stable foundation with the most important functions for the end customer and then successively expanded these further. This was reflected in an agile procurement model - the starting point was a framework agreement with individual procurement on a sprint basis.
Our approach was consistently based on the aforementioned core tasks:
- CI/CD: In order to integrate Keycloak into the CI/CD environment based on GitLab and Kubernetes, we relied on a fully automated deployment. A particular focus was on the implementation of all Keycloak configurations. To do this, we used a configuration-as-code solution based on shell scripts, which deploys the complete configuration via the Keycloak Admin CLI. This eliminates the need for manual intervention via the Keycloak Admin interface, as all configurations are mapped in the code.
- User Migration: To ensure the seamless transfer of existing user accounts, we developed a Python script that imports the several thousand existing user accounts into Keycloak. A particular challenge was to harmonize the different encryption algorithms for the passwords. To this end, we designed and implemented a Keycloak extension in Java, which makes it possible to verify the password with the old hash algorithm when a migrated user logs in for the first time. The password is then hashed and saved using the standard Keycloak procedure.
- 2-Factor Authentication: To improve account security, 2-factor authentication (2-FA) via SMS code should be mandatory. As this is not included in the Keycloak standard, we developed a customer-specific Java extension that provides the functionalities for 2-FA.
- EWB Theme: In order to adapt the user interface of the login and registration mask as well as the account console to the ewb design, we implemented a theme individually designed for ewb based on Angular and Web Components.
OUR APPROACH
In order to ensure rapid and practical progress, we opted for a sustainable solution: As part of an MVP approach, we first created a stable foundation with the most important functions for the end customer and then successively expanded these further. This was reflected in an agile procurement model – the starting point was a framework agreement with individual procurement on a sprint basis.
Our approach was consistently based on the aforementioned core tasks:
- CI/CD: In order to integrate Keycloak into the CI/CD environment based on GitLab and Kubernetes, we relied on a fully automated deployment. A particular focus was on the implementation of all Keycloak configurations. To do this, we used a configuration-as-code solution based on shell scripts, which deploys the complete configuration via the Keycloak Admin CLI. This eliminates the need for manual intervention via the Keycloak Admin interface, as all configurations are mapped in the code.
- User Migration: To ensure the seamless transfer of existing user accounts, we developed a Python script that imports the several thousand existing user accounts into Keycloak. A particular challenge was to harmonize the different encryption algorithms for the passwords. To this end, we designed and implemented a Keycloak extension in Java, which makes it possible to verify the password with the old hash algorithm when a migrated user logs in for the first time. The password is then hashed and saved using the standard Keycloak procedure.
- 2-Factor Authentication: To improve account security, 2-factor authentication (2-FA) via SMS code should be mandatory. As this is not included in the Keycloak standard, we developed a customer-specific Java extension that provides the functionalities for 2-FA.
- EWB Theme: In order to adapt the user interface of the login and registration mask as well as the account console to the ewb design, we implemented a theme individually designed for ewb based on Angular and Web Components.
THE RESULT
Visually coherent and functionally flawless: the project was successfully completed with the migration of the productive users; the new Keycloak IdP went into productive operation.
THE RESULT
Visually coherent and functionally flawless: the project was successfully completed with the migration of the productive users; the new Keycloak IdP went into productive operation.
ABOUT EWB
Energie Wasser Bern is an independent, public-law company of the City of Bern and one of the five largest municipal energy supply companies in Switzerland with around 680 employees.
Its customers include around 70,000 households, 8,000 small and medium-sized enterprises and 100 major customers. The company ensures the supply of electricity, district heating, natural gas, biogas and water to the city of Bern and the surrounding municipalities, recycles waste into energy and offers services in the field of electromobility and self-consumption solutions.
“By introducing Keycloak, we are increasing the security of our customer data and at the same time offering a modern and optimized customer experience as well as reducing the burden on customer service.”
Stefan Zumbach, Head of IT Integration ewb