Keycloak & zero trust

Zero trust

Zero Trust is a security model that requires strict identity verification for every user and device attempting to access a network or system, regardless of whether they are inside or outside the network perimeter. This approach assumes that there is no implicit trust granted to any user, device, or application, even if they are already inside the network. Zero Trust operates under the principle of “never trust, always verify,” meaning that every user and device must continuously prove their identity and meet strict security standards before they are granted access to any resources. This model helps to prevent unauthorized access, reduce the risk of data breaches, and increase overall security posture.

Zero Trust architecture provides several advantages over traditional network security models. Some of the benefits of Zero Trust include:

  • Better protection against data breaches: Zero Trust helps to prevent data breaches by limiting access to sensitive resources only to authorized users and devices that have undergone rigorous authentication and verification processes.

  • Enhanced visibility: Zero Trust architecture provides greater visibility into network activity, which can help to identify and mitigate potential threats and attacks more quickly.

  • Increased flexibility: Zero Trust allows for more flexible access controls, enabling users to access resources from anywhere, at any time, without compromising security.

  • Improved compliance: Zero Trust helps organizations to meet compliance requirements by enforcing strict access controls and security policies.

However, there are also some challenges and potential disadvantages associated with Zero Trust:

  • Complex implementation: Implementing a Zero Trust architecture can be complex and time-consuming, requiring significant changes to existing network infrastructure and security policies.

  • Higher costs: Zero Trust can be more expensive than traditional security models, particularly in terms of implementing the necessary technology and infrastructure.

  • User experience: The strict access controls and authentication processes can make it more difficult for users to access resources, potentially impacting productivity and user experience.

All components of our platform, including Heappe, utilize zero trust to ensure that only authorized users and devices can access sensitive data and systems.


Keycloak is an open-source identity and access management (IAM) solution that provides authentication and authorization services for web and mobile applications. It is developed by Red Hat and provides a range of features for managing user accounts, roles, permissions, and authentication mechanisms.

Keycloak supports a variety of authentication protocols, including OpenID Connect, OAuth 2.0, and SAML 2.0, and can be used as a standalone server or integrated with existing identity providers. It provides a flexible and extensible platform for managing user identities and access, with features such as multi-factor authentication, social login, and user federation.

With Keycloak, we can easily add user authentication and authorization to our applications, without having to implement these features from scratch. Keycloak provides a range of client libraries and SDKs for popular programming languages, making it easy to integrate with web and mobile applications.

Some of the key features of Keycloak include:

  • User authentication and authorization

  • Multi-factor authentication

  • Social login and identity brokering

  • User federation and synchronization

  • Role-based access control

  • Single sign-on (SSO)

  • Token-based authentication and authorization

  • Customizable login and registration pages

  • Password policies and credential management

  • OAuth 2.0 and OpenID Connect support


We support two types authentication. The first is a Lexis account, and the second is using an identity provider.

Lexis account

Lexis accounts require users to create and manage their own login credentials, such as usernames and passwords. Email address verification is required. In case of a forgotten password, we provide a self-reset password service.

Identity provider

An identity provider is a trusted third-party service that authenticates and verifies the identity of users. It enables users to use a single set of login credentials to access multiple applications and systems, eliminating the need for users to remember and manage multiple usernames and passwords. When a user tries to access a service, the identity provider verifies their identity and passes the necessary information to the service. This allows for a seamless and secure user experience and reduces the risk of weak passwords and forgotten login credentials.

The Lexis Platform is ready to integrate with additional identity providers. For further information, please contact us at

The Lexis Platform is currently connected to follow IdPs:


B2ACCESS is a service provided by the European Data Infrastructure (EUDAT) project, which is a collaborative data infrastructure initiative aimed at supporting European research communities. B2ACCESS is an identity and access management service that provides secure access to a wide range of research resources and services.

B2ACCESS offers a single sign-on solution for accessing various research services, which eliminates the need for users to maintain multiple accounts and passwords. The service provides user authentication and authorization based on the user’s identity attributes, such as name, email address, and organization.