FIPS compliance with keycloak?

[notwithoutcid]

Keycloak is not FIPS compliant.
Enforcing FIPS compliance is a CAT I STIG.

I'm very curious as to how .mil organizations are getting around this?

[csmig]

Just to clarify, Keycloak is not a pre-requisite for STIG Manager, just a convenient open source choice. STIG Manager integrates with any standards-compliant OIDC Provider that issues JWT. Some non-open-source examples are Azure AD, Okta, Auth0, and Red Hat SSO (which provides Keycloak with FIPS).

For Keycloak, perhaps this page might be helpful?
https://www.keycloak.org/server/fips

[notwithoutcid]

Thank you for your response,
I wasn't able to successfully get keycloak to run in fips mode on my first several goes, despite that documentation.
I'll give it one more fresh attempt and/or look into those other options.

FYI, my first choice was to use RH-SSO, but unfortunately it doesn't support FIPS, which makes sense as it's a fairly new feature to the upstream.
"At this time RH-SSO is not FIPS 140-2 and FIPS 140-3 compliant."
(May 23 2023, [https://access.redhat.com/solutions/6950671])

[csmig]

Sorry, I didn't realize RH-SSO wasn't able to provide FIPS 140 support, so thanks for alerting us. FIPS 140-2/3 is certainly an important topic for anyone deploying in the Federal sector.

The STIGMAN project devs probably can't provide as much guidance on Keycloak as the Ops teams that deploy that tool. The Air Force Platform One products (https://software.af.mil/dsop/services/) use Keycloak for Identity Management, so perhaps the team over there might have useful insights. Please keep us informed of what you learn, thanks.

[cd-rite]

Hi @notwithoutcid Please let us know if you make any progress! A sticking point for me testing is that fips is not supported on Windows WSL2 yet.

All solutions I've found require that the host system has FIPS enabled, and then (I believe) keycloak will "inherit" that mode (but will still need the required bouncyCastle libraries, etc). Were you testing on a system with fips?

A few resources you might find helpful-
Sample build of a fips-enabled keycloak image:
https://github.com/mposolda/keycloak-fips-image/blob/main/README.md

Repo1 image built with the bouncyCastle jar files. Could be used to build a fips keycloak image:
https://repo1.dso.mil/dsop/redhat/openjdk/openjdk11-fips-bc

The repo 1 keycloak image implements the keycloak-documented change for SAML with fips, but I'm not sure if it is actually works with fips as-is. Perhaps the change to their Dockerfile is just to make it easier if the image is used to build another image with the required bouncyCastle files:
https://repo1.dso.mil/dsop/opensource/keycloak/keycloak