Community Blog Set up an Identity and Access Management (IAM) System on Alibaba Cloud

Set up an Identity and Access Management (IAM) System on Alibaba Cloud

This article explains how to set up an IAM system for your application to integrate with on Alibaba Cloud.

By Jonah Wang, Alibaba Cloud Solutions Architect


Identity and access management (IAM) is a framework of policies and technologies to ensure the correct people have the appropriate access to the IT resources and job roles in the organization, including hardware and applications. IAM typically contains authorization and authentication features and capabilities, such as:

  • Single Sign-On (SSO) gives users the ability to sign on once using a single set of credentials to gain access to multiple services and resources.
  • Multi-Factor Authentication (MFA) gains a greater level of assurance of a user’s identity by requiring the user to provide two or more factors as proof of identity.

When an organization has multiple web and mobile apps deployed on the cloud, it becomes necessary to leave the authentication, authorization, and user management processes to a centralized IAM system for better consistency, maintainability, and security.

This article explains how to set up an IAM system for your application to integrate with on Alibaba Cloud. We will use Keycloak as the IAM solution to walk you through the steps to deploy a simple IAM system on Alibaba Cloud.

What Is Keycloak?

Keycloak is an open-source Identity and Access Management solution for modern Applications and Services. Keycloak provides a customizable user interface and supports use cases, such as Single Sign-On (SSO), user registration, and user federation. It supports multiple protocols, such as SAML 2.0, OAuth 2.0, and OpenID Connect. It can also store user credentials locally or via an LDAP or AD. You can also set up Keycloak to delegate authentication to third-party identity providers. The features of Keycloak include:

  • Single-Sign On and Single-Sign Out for browser applications
  • OpenID Connect support
  • OAuth 2.0 support
  • SAML support
  • Identity Brokering: Authenticate with external OpenID Connect or SAML Identity Providers
  • Social Login: Enable login with Google, GitHub, Facebook, Twitter, and other social networks
  • User Federation: Sync users from LDAP and Active Directory servers

Setting up Keycloak on Alibaba Cloud


You need an Alibaba Cloud ECS general-purpose instance with at least 8 GB memory and 2 vCPUs. The Keycloak server can run on any operating system that runs Java. We will use Ubuntu 20.04 in this example.

We will use a simpler network structure in this example to simplify the explanation and troubleshooting. We will assign public IP to the ECS instance and ensure port 22 and 8080 are open in the security group.

Ensure Java 8 or 11 are installed on the ECS instance

Install the Keycloak Server on Ubuntu 20.04

  • Go to the Keycloak Server downloads page to download the latest Keycloak server distribution, e.g. keycloak-16.1.1.tar.gz
  • Upload the Keycloak Server distribution file to the ECS instance and extract the file using the command below:
tar -xzvf keycloak-16.1.1.tar.gz
  • Go to the /bin directory of the extracted folder, and you will see a list of script files:


  • Create an admin user “admin” with password “password” using the command below:
./add-user-keycloak.sh -r master -u admin -p password
  • Start the Keycloak server using standalone mode:
./standalone.sh -b= &
  • Use a web browser to access http://<Public_IP>:8080/, where the “Public_IP” is the public IP address of the ECS instance. You should be able to see the Keycloak console page:


The Keycloak server console requires local access or SSL for security concerns by default. We will disable the SSL Mode here for demonstration purposes.

  • On the Keycloak Server, run the commands below to disable the SSL. The realm is “master,” the user is the “admin” user created in the previous steps, and the password is the “password” of the admin user:
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
Logging into http://localhost:8080/auth as user admin of realm master
Enter password: *************

./kcadm.sh update realms/master -s sslRequired=NONE

Set Up

After setting up the Keycloak server on the ECS instance, we can proceed with the IAM setup:

  • On the Keycloak console page from the previous steps, click the “Administration Console” hyperlink:


  • Log in using the admin user and password you created in the previous steps. You will be redirected to the Keycloak admin console page:


Keycloak provides a list of comprehensive IAM processes. This article focuses on the basic processes: realm setup, client setup, and user setup.

Realm Set Up

A realm is a space where you manage objects, including users, applications, roles, and groups. When you boot Keycloak for the first time, Keycloak creates a pre-defined realm for you. This initial realm is the master realm. It is the highest level in the hierarchy of realms. We do not recommend using the master realm to manage the users and applications. The master realm is normally reserved for super admin purposes. If you want to create a new realm:

  • Mouse over the top left corner drop-down menu entitled Master. The last entry of this drop-down menu is always Add Realm. Click this to add a realm:


  • On the Add realm page, specify the realm name you want to define, and click Create:


  • Once the realm is created, you will be redirected to the realm settings page. Click the Login tab. We will turn off SSL mode for this realm for demonstration purposes.


Client Set Up

Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. If you want to create a new client:

  • Make sure you are in the correct realm and click Clients on the left menu bar. A list of predefined clients is listed on the Clients table. Click Create on the right corner:


  • On the Add Client page, specify the client ID you want to define, choose openid-connect as Client Protocol (which will be tested in the client example later), and click Save:


  • Once the client is created, you will be redirected to the client settings page. In the Settings tab, turn off the Standard Flow Enabled property to simplify the demonstration flow:


User Set Up

Normally, enterprise applications can use RESTful API to add users and manage user authentication. We will use the Keycloak console to create the test user in this demonstration. If you want to create a new user:

  • Make sure you are in the correct realm and click Users on the left menu bar. Click Add user on the right corner:


  • On the Add user page, specify the username of the user to be created, make sure the User Enabled button is on, and click Save:


  • Once the client is created, you will be redirected to the user settings page. On the Credentials tab, type the user password, and turn off Temporary property, so the user does not need to change passwords on the next login. Then, click Set Password to save the password:



The testing data is set up, and we can test the IAM process on the console:

  • Click Users on the left menu bar. On the Users panel, click View all users. The users created will be listed on the Users table:


  • Click Impersonate on the user entry created, and you will be redirected to the Account Management page of the user account to be tested. You can click Sign Out and Sign In to authenticate the username and password created in the previous steps:


Client Example

We will test integrating with Keycloak IAM interfaces from the application client. The sample code below is written in Python using python-keycloak library. It can be installed from this link.

The same code is provided below. The shall be replaced with the public IP address of the ECS instance, and the value of client_id, realm_name, username, and password are based on the value setup from the previous steps. After running the code, you can authenticate the user through the Keycloak IAM interface using OpenID protocol and use the token returned for access control.

from keycloak import KeycloakOpenID

# Configure client
keycloak_openid = KeycloakOpenID(server_url="http://<Public_IP>:8080/auth/",
# Get Token
token = keycloak_openid.token("testuser", "password")

user = keycloak_openid.userinfo(token['access_token'])

What’s Next?

This use case in this demonstration skipped the comprehensive authentication flows supported by Keycloak. Please click this link for more details about using Keycloak to manage and configure authentication

Instead of the standalone mode executed in this demonstration, we recommend running the Keycloak server in a cluster with higher system availability and fault tolerance. You can find more details at this link.

Keycloak comes with its own embedded Java-based relational database called H2 in the default setup. We recommend connecting Keycloak to a more reliable and scalable cloud-native database during production implementation, such as Alibaba Cloud ApsaraDB RDS for MySQL. Please refer to this link to connect to the external relational database.

0 1 0
Share on

Alibaba Cloud Community

815 posts | 182 followers

You may also like