Client Policy integration within Keycloak

Integration of Client Policy within Keycloak for a Secure login

Customers nowadays place a premium on the ability to administer their insurance policies through digital platforms, mainly smartphone apps and websites. According to a report, 90% of life insurance policyholders choose to administer their plans across digital platforms.

Although many insurance providers recognize the value of providing a positive online consumer experience, not all have succeeded. Just about 15% of consumers are happy with the digital experience that insurance providers have. Customers can stop using your services if you fail to meet quality standards and expectations. Providing a mobile application would allow more of our users to take advantage of time-sensitive opportunities. As our client offers different apps for their users based on the different level of assurance to login, it wasn’t convenient to inform the users about their eligibility to use the list of services offered to them. The client was looking for a solution that would allow it to restrict the users while login, by integrating multiple set of conditions.

The Solution Overview

The Solution

As our client offers various apps depends on the different level of assurance to login, we designed a solution to restrict the users based on multiple set of conditions. Using the Keycloak platform, we were able to build a feature called Client Policies which will allow the admin to create pre-conditions to let the user, access the system. Since, the client policies are set at client level whichever user is trying to login through that client, should satisfy all the mandatory policies. The condition which we set in client policy will have a leverage to set any type of condition based on the user properties. For Example: Checking the user age through DOB, checking whether his phone number is verified.

Example 1: Optional policy parameter

Optional policy will allow the user to pass without accepting the policy which means even if the below condition is not satisfied the user will be moved ahead in the process but the scope will not be added to the access token. To add the scope in access token the condition has to be passed.

Restricting the user based on the Phone number verification:

User Attribute should be added in the format (Example: Phone Number Verified). When the user is trying to login through the client, on successful authentication the same will be informed through scope claim in access token. Based on this the relaying application can decide whether to allow the user or restrict them.

Example 2: Mandatory policy parameter

The conditions which were set for that particular policy should be passed, or else the user will be restricted to login. Access token will be provided only if all the mandatory policies are passed. And the same will be indicated via scope parameter in access token for further operations.

Condition:

• Restricting the user based on the Phone number verification: User Attribute should be added in the format (Example: Phone Number Verified). When the user is trying to login through the client, on successful authentication the same will be informed through scope claim in access token. Based on this the relaying application can decide whether to allow the user or restrict them.
• Checking the user age through Birthdate: The condition will work in the way if they have to be restricted with respect to their age, user attribute should be saved as (Example: 1992-02-20) and in the expected value field data should be given greater than 18. So that the users whom all are not satisfying this age criteria will be restricted for that feature.

We made sure that the condition which we set in keycloak should not be a static one but should also change according to the situations and periods as well. It was easy to connect with the environment which gives scope to add a condition so that the system should dynamically adapt to work by accepting it and we can set multiple conditions for a particular policy. The policy type was designed to support better decision making in setting the condition whether it should be optional or mandatory, to enhance the customer experience. 

• The Policies here were dynamic and those can be easily created and controlled by Admin. And these policies have no restriction in terms of conditions and didn’t experience any setbacks during the process.
• A policy can have multiple number of conditions and a client can have multiple number of policies.
• The Process was quite straight forward, with a single click, the client policies will be dynamically changed, and the changes will take effect instantly. As a result, when we add or delete conditions, there will be no downtime.

The Impact

The client was able to derive a multitude of benefits from our approach, all of which had a huge effect on their market performance. Our continuous service excellence has always aided us in our growth and retention levels, and as a result, we've found a reliable and resourceful partner in them.

Enhanced Customer Experience

Our client has placed a high value on outstanding customer service from the outset. Since user constraint plays such an important role in consumer engagement, our approach made a significant contribution to achieving it. Our personalized and intuitive approach was well received by our clients, as the process went even more smoothly because the user constraints were implemented within the client ecosystem.