Federated Credentials with Didit and Keycloak: A Powerful Duo

Seamless IntegrationKeycloak offers a robust, open-source identity and access management solution that can be significantly enhanced by integrating external identity verification services like Didit.

Enhanced Security and ComplianceCombining Keycloak's IAM with Didit's advanced verification products, such as ID Verification and Passive & Active Liveness, strengthens security and helps meet regulatory compliance requirements like KYC and AML.

Streamlined User ExperienceFederated credentials reduce friction for users by allowing them to reuse existing digital identities, while Didit ensures the underlying identity is legitimate and verified, creating a trusted environment.

Didit's Modular AdvantageDidit's AI-native, modular architecture and Free Core KYC offer unparalleled flexibility and cost-effectiveness for integrating diverse identity verification checks into any Keycloak-based federated system.

The Power of Federated Credentials

In today's digital landscape, users expect seamless access to services without the burden of creating new accounts for every platform. Federated credentials address this by allowing users to authenticate once with a trusted Identity Provider (IdP) and gain access to multiple Service Providers (SPs). This not only improves user experience but also centralizes identity management, reducing the attack surface and simplifying compliance. Keycloak, as a leading open-source Identity and Access Management (IAM) solution, excels at facilitating this federation, supporting protocols like OpenID Connect and SAML.

However, the strength of federated credentials hinges on the trustworthiness of the underlying identity. How do you ensure that the identity asserted by an IdP is genuinely tied to a real, legitimate person? This is where a robust identity verification platform becomes indispensable. Integrating a solution like Didit with Keycloak allows organizations to verify the authenticity of identities at critical junctures, such as initial registration or high-risk transactions, ensuring that even federated users are thoroughly vetted.

Why Integrate Didit with Keycloak?

Keycloak provides a solid foundation for IAM, but it doesn't inherently perform deep identity verification or fraud prevention. Didit fills this gap by offering a comprehensive suite of AI-native identity verification products that can be seamlessly integrated into Keycloak workflows. This integration creates a formidable defense against identity fraud and enhances compliance posture.

Consider a scenario where a user registers via a social login (federated identity) through Keycloak. While Keycloak handles the authentication with the social IdP, Didit can step in to perform ID Verification, checking the user's government-issued document, and even running Passive & Active Liveness checks to confirm the user is a real, present person and not a deepfake or spoofing attempt. This multi-layered approach ensures that the federated identity is not just authenticated but also verified.

Furthermore, for industries requiring stringent regulatory adherence, Didit's AML Screening & Monitoring can be triggered post-federation to ensure the user isn't on any watchlists. This combined power allows businesses to leverage the convenience of federated identities while maintaining the highest standards of security and compliance.

Practical Integration Scenarios

Integrating Didit with Keycloak can be achieved in several ways, depending on your specific use case and workflow. A common approach involves using Keycloak's event listeners or custom user flows to trigger Didit's verification services.

1. Post-Registration Verification

After a user successfully authenticates via a federated IdP through Keycloak, you can configure Keycloak to redirect the user to a Didit-powered verification flow. This could involve:

• Document Verification: The user uploads their ID document, which Didit's ID Verification (OCR, MRZ, barcodes) processes to extract data and check for authenticity.
• Liveness Detection: Didit's Passive & Active Liveness ensures the user is live and present, preventing presentation attacks.
• Face Matching: A 1:1 Face Match can compare the user's selfie with the photo on their ID document.

Once Didit completes the verification, the results can be sent back to Keycloak via webhooks or API calls, updating the user's profile with a 'verified' status or triggering further actions.

2. Progressive Profiling and Step-Up Authentication

For applications requiring different levels of assurance, you can implement progressive profiling. Initial federated authentication provides basic access, and higher-risk actions (e.g., large financial transactions, accessing sensitive data) trigger a step-up verification process using Didit. Keycloak's authentication flows can be configured to prompt for additional verification, such as a new NFC Verification of an ePassport for the highest level of assurance, before granting access to sensitive resources.

3. Continuous Monitoring and Compliance

Didit's AML Screening & Monitoring can be integrated to continuously check user identities against sanctions lists and PEP databases. This is crucial for ongoing compliance, especially for financial services. Keycloak can periodically trigger these checks or react to webhook notifications from Didit if a user's status changes.

Data Retention and Privacy in a Federated System

When dealing with sensitive identity data, especially in a federated context, data retention and privacy are paramount. Didit acts as a data processor, with you remaining the data controller. Didit is designed to support GDPR and other local data-protection regimes, offering configurable data retention policies. You can set retention windows from 1 month to 10 years, or even manually delete individual sessions from the Business Console. This granular control ensures that your federated identity solution remains compliant with evolving privacy regulations, irrespective of where your users authenticate from.

How Didit Helps

Didit is the AI-native, developer-first identity platform that perfectly complements Keycloak's robust IAM capabilities. With an open, modular architecture, Didit allows you to plug-and-play identity checks precisely where you need them in your Keycloak-orchestrated workflows. Didit’s Free Core KYC means you can get started without upfront costs, verifying identities efficiently and effectively.

Our comprehensive suite includes ID Verification (OCR, MRZ, barcodes), Passive & Active Liveness for fraud prevention, 1:1 Face Match & Face Search for biometric authentication, and AML Screening & Monitoring for compliance. For age-restricted services, our privacy-preserving Age Estimation is invaluable. Every product is designed to integrate seamlessly via clean APIs, making it easy for developers to build sophisticated identity verification into Keycloak's flows.

Didit's AI-native approach ensures high accuracy and continuous improvement in fraud detection. By leveraging Didit, you can automate trust, orchestrate risk, and gain structured identity data, transforming your Keycloak-powered federated identity system into an unassailable fortress of security and convenience.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.