Sciensano is a federal research institute and the national public health institute of Belgium. Sciensano employs more than 700 people who commit themselves, every day, to achieve their motto: “Healthy all life long”.
Sciensano can count on the more than 100 years of scientific expertise of the former Veterinary and Agrochemical Research Centre (CODA-CERVA) and the ex-Scientific Institute of Public Health (WIV-ISP).
The challenge
Sciensano required a modern and customizable open-source solution for their Access Management challenge. They have multiple applications running which should be accessible for the same group of people. To provide a more secure and user-friendly experience they needed an efficient and effective Access Management (AM) solution.
This AM solution should integrate with the Sciensano Active Directory (for internal users) and with the external identity provider ‘eHealth’. The ‘eHealth’ authentication solution gives external users (like doctors and other medical staff) the opportunity to access Sciensano’s applications in a safe and secure way.
Sciensano’s access manager needed to function as both the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP); in this way they will be able to restrict the access to applications on a group basis.
Last but not least, a high availability deployment method was required as downtime cannot be allowed with sensitive data.
The approach
The Technology
After completing an in-depth analysis of the requirements for the Sciensano’s Access Manager, Keycloak was chosen for this project. The Open-Source solution is complete, powerful and continuously maintained, with state-of-the-art functionalities concerning security and performance.
Another big advantage of the Keycloak solution is the scalability, it is capable of managing a nearly limitless number of accounts, adaptable to different needs.
High availability and data consistency
To ensure optimal availability of the platform the design made sure services are always available and up and running. The Access Manager runs on multiple independent servers; allowing for automatic failover if one fails to make sure applications are accessible at all times.
In order to guarantee data consistency; data is continuously synced in a synchronous manner in order to minimize data loss when a server fails or crashes.
As a result of this deployment, the end-user’s risk of downtime or loss of data is kept to a minimum while allowing necessary parties to be informed about any downtime or server problems.
Active Directory & Federation with Ehealth Identity Provider
The Sciensano Active Directory was configured as a user storage provider in Keycloak. Next to the Active Directory, a federation with the eHealth identity provider was setup as well. This is done by a concept called ‘Identity Brokering’. An Identity Broker is an intermediary service that connects multiple service providers with different identity providers. As an intermediary service, the identity broker is responsible for creating a trust relationship with an external identity provider in order to use its identities to access internal services exposed by service providers.
Custom Keycloak extension (PDP and PEP)
A custom Keycloak extension was written and deployed to restrict or gain access to applications from within Keycloak; based on the groups of the authenticated user. These groups are defined within the Sciensano Active Directory or within the external Identity provider ‘Ehealth’.
Each group gives specific roles to a user, whether or not a user has a specific role, dictates if he/she has access to the requested application.
Sciensano look and feel
On top of all that we created a custom theme with the Sciensano look-and-feel for the Keycloak application. Sciencano’s logo, color schemes and branding will add an extra level of familiarity, consistency and sense of security to the application.
The result
Sciensano is currently enjoying a fully functioning, open source, access management solution, which is Keycloak. Furthermore, any new application can be easily added, as long as they support SAML 2.0 or OpenID Connect 1.0.
The Keycloak Solution was designed keeping new requirements or standards in mind allowing new functionalities to be added without any hassle.