Ensuring Secure and Controlled Access
The user experience that Keycloak provides is seamless and hassle-free. The login process is quick and intuitive, often requiring only a few clicks, whether using a password, biometric authentication, or an existing account. With features like single sign-on (SSO), users can access cBioPortal and other applications with just one set of credentials—eliminating the frustration of managing multiple logins and enabling users to concentrate on their tasks without unnecessary complexity. The experience is smooth—no confusing steps, no frustrating resets—just a fast, secure way to reach their destination.
Context
cBioPortal is a platform for visualizing and analyzing cancer genomic data, which is widely used in clinical or pharmaceutical research. Given the sensitive nature of the data generated in these lines of research, which often contains sensitive personal health information, data protection is critical to meet regulatory standards. Effective user management ensures that users can only access sensitive data when their role requires this. It will limit the exposure of sensitive information and reduce the risk of accidental misuse or data leaks.
Keycloak provides centralized authentication, Single Sign-On (SSO), and fine-grained authorization control. This enables institutions to manage user access securely and efficiently, guaranteeing that only authorized personnel can interact with sensitive data, enhancing both compliance and data protection.
In the context of cBioPortal, Keycloak plays a critical role in managing user authentication and access control at a granular level. By integrating Keycloak with cBioPortal, administrators can enforce study-level access restrictions, ensuring that users can only access datasets or cancer studies they are authorized to view.
Streamline user management for cBioPortalÂ
Keycloak provides two main user management approaches to suit different needs: i) admin users manually add users to a local database, and ii) integration with an existing identity management system.
Whereas the first option is suitable for smaller organizations without a centralized identity management system, the second option allows larger organizations to leverage their existing user directories, reducing the overhead of managing two systems for user management.Â
User management with a local Keycloak database
Administrators can create, edit, and assign roles to users directly within the Keycloak admin console, providing full control over the user lifecycle. This approach allows for quick setup and is often used in standalone deployments or during initial testing phases.
User management by integrating an external identity provider
Keycloak provides a wide range of Identity Provider integrations based on SAML 2.0, Oauth2, or OpenID Connect protocols. Furthermore, organizations with enterprise user directories can integrate their LDAP or Microsoft Active Directory.
SAML 2.0 Identity Providers
Keycloak can integrate with any SAML 2.0-compliant identity provider. This allows organizations that have a SAML 2.0-based Single Sign-on to leverage their existing authentication workflow in Keycloak. Popular SSO providers include:
OpenID connect v1.0 Identity Providers
OpenID is a protocol that provides authentication and authorization services similar to the SAML protocol. One of the major differences between SAML and the OpenID protocol is that the openID protocol can generate JWT tokens for authorization and authentication.Â
Enterprise Identity Providers (LDAP/Active Directory)
Keycloak enables organizations to integrate their existing LDAP or Active Directory infrastructure for user authentication and management. When a user attempts to authenticate, Keycloak first searches its local user database. If the user is not found locally, Keycloak then queries the configured LDAP/AD store. This significantly enhances an organization’s ability to centrally manage user authentication and access control.
Advanced features for administrators in Keycloak
Keycloak provides an admin UI and admin API to manage realms, user access, and security configurations. The admin UI provides an easy-to-navigate interface for which the user does not need to have any programming experience. The admin API provides a set of REST APIs that is suitable for automating tasks, bulk operations, or integration with CI/CD pipelines.
Keycloak not only provides user authentication and authorization, but also supports extensive logging capabilities for tracking user logins and admin events. User login logs include events such as successful logins, failed login attempts, and password changes. Admin event logging, on the other hand, helps track activities like granting roles, creating groups, or modifying permissions. User event and Admin event logging can either be viewed in the Keycloak UI or saved to external files. This allows administrators to create an extensive overview of all related events, which can be used to audit platform activity.
User login experience and User Terms and Agreement
Keycloak gives you the flexibility to tailor your login screens, allowing for a branded and professional appearance that aligns with your organization’s visual identity. Instead of using the default login theme, you can customize it to display not only the cBioPortal logo but also your company logo, as well as helpful information like whether the server is for development or production.Â
In some cases, it’s essential to have users agree to your terms before they can access your application. A User Terms and Agreement form ensures legal compliance while also clarifying user responsibilities, minimizing the risk of misunderstandings. This can limit the legal obligations of the website owner, prevent misuse of the software, outline licensing terms, and specify the conditions under which the agreement may be terminated. Keycloak supports fully customizable login flows, including the addition of a terms and agreement step. This guarantees that only users who have accepted your terms can access the platform—providing both security and peace of mind.