IS4U was selected by Sciensano to work out the analysis, architecture and implementation of a complete access management solution.

Sciensano is a federal research institute and the national public health institute of Belgium. Sciensano employs more than 700 people who commit themselves, every day, to achieve their motto: “Healthy all life long”.

Sciensano can count on the more than 100 years of scientific expertise of the former Veterinary and Agrochemical Research Centre (CODA-CERVA) and the ex-Scientific Institute of Public Health (WIV-ISP).

The challenge

Sciensano required a modern and customizable open-source solution for their Access Management challenge. They have multiple applications running which should be accessible for the same group of people. To provide a more secure and user-friendly experience they needed an efficient and effective Access Management (AM) solution.

This AM solution should integrate with the Sciensano Active Directory (for internal users) and with the external identity provider ‘eHealth’. The ‘eHealth’ authentication solution gives external users (like doctors and other medical staff) the opportunity to access Sciensano’s applications in a safe and secure way.

Sciensano’s access manager needed to function as both the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP); in this way they will be able to restrict the access to applications on a group basis.

Last but not least, a high availability deployment method was required as downtime cannot be allowed with sensitive data.

The approach

The Technology

After completing an in-depth analysis of the requirements for the Sciensano’s Access Manager, Keycloak was chosen for this project. The Open-Source solution is complete, powerful and continuously maintained, with state-of-the-art functionalities concerning security and performance.

Another big advantage of the Keycloak solution is the scalability, it is capable of managing a nearly limitless number of accounts, adaptable to different needs.

High availability and data consistency

To ensure optimal availability of the platform the design made sure services are always available and up and running. The Access Manager runs on multiple independent servers; allowing for automatic failover if one fails to make sure applications are accessible at all times.

In order to guarantee data consistency; data is continuously synced in a synchronous manner in order to minimize data loss when a server fails or crashes.

As a result of this deployment, the end-user’s risk of downtime or loss of data is kept to a minimum while allowing necessary parties to be informed about any downtime or server problems.

Active Directory & Federation with Ehealth Identity Provider

The Sciensano Active Directory was configured as a user storage provider in Keycloak. Next to the Active Directory, a federation with the eHealth identity provider was setup as well. This is done by a concept called ‘Identity Brokering’. An Identity Broker is an intermediary service that connects multiple service providers with different identity providers. As an intermediary service, the identity broker is responsible for creating a trust relationship with an external identity provider in order to use its identities to access internal services exposed by service providers.

Custom Keycloak extension (PDP and PEP)

A custom Keycloak extension was written and deployed to restrict or gain access to applications from within Keycloak; based on the groups of the authenticated user. These groups are defined within the Sciensano Active Directory or within the external Identity provider ‘Ehealth’.

Each group gives specific roles to a user, whether or not a user has a specific role, dictates if he/she has access to the requested application.

Sciensano look and feel

On top of all that we created a custom theme with the Sciensano look-and-feel for the Keycloak application. Sciencano’s logo, color schemes and branding will add an extra level of familiarity, consistency and sense of security to the application.

The result

Sciensano is currently enjoying a fully functioning, open source, access management solution, which is Keycloak. Furthermore, any new application can be easily added, as long as they support SAML 2.0 or OpenID Connect 1.0.

The Keycloak Solution was designed keeping new requirements or standards in mind allowing new functionalities to be added without any hassle.

Share this article

Interested in learning more about our solutions and how they can benefit your business?

Contact us now for personalized insights and solutions.

Related articles

Full throttle with the CCB’s CyberFundamentals Framework

At ACEN, we understand the ever-present threat of cyberattacks. When following the latest news...

ACEN acer – Yoni Govaerts

Discover the life of a security consultant at IS4U through the eyes of Yoni...

We went to RSA Conference and this is what we noticed

At the beginning of May, we were present at the RSA Conference 2024 in...

Subscribe to our newsletter

We only use your e-mail address to send newsletters.

We do not pass on your address to third parties.

Security as a Service

Experience peace of mind with our Security as a Service – your company’s ultimate shield against threats, featuring reliable 24/7 protection, local support, and a tailored approach to meet all your unique security needs.

We are looking for talent

Check out our careers platform and discover our wide range of cybersecurity opportunities!