Cryptomathic Signer and KeyCloak Integration: A Powerhouse for eIDAS-Compliant Remote Signing

To deliver trust services, managing user´s identities and access is paramount. eID schemes and trust service providers all require IdP solutions for identity and access management and it has traditionally been cumbersome to integrate IdP with QSCD in a way that allows for the highest assurance level to be met. In a landmark move, Cryptomathic's eIDAS-certified Qualified Signature Creation Device (QSCD) solution, Signer 6, now seamlessly integrates with Keycloak, the leading open-source identity provider providing advanced user federation, strong authentication, user management, fine-grained authorization, and more.  

For the first time, this integration enables Cryptomathic or Keycloak customers to use the Cloud Signature Consortium API specification (CSC API) in conjunction with the OAuth2 framework and associated extensions to operate in full conformance with eIDAS requirements for sole control assurance level 2 (SCAL2) using Signature Activation Data (SAD). 

Modernizing IAM for signing and sealing 

The integration of Signer with Keycloak represents a significant advancement to broaden the capabilities of their identity and access management solutions with remote signing and sealing in compliance with eIDAS 2. This integration offers great flexibility and granularity with unique benefits for end-customers who can benefit of greater user experience with identity federation, one login for more purposes, leverage strong authentication for signature activation. Similarly, trust service providers and issuers of eIDAS compliant EUDI wallets can opt for different onboarding flows incl. Identify and sign or identity, store and sign for returning users.  

Key Features of the Integration 

• Cloud Signature Consortium API (CSC API): By adhering to the CSC API standards, Signer 6 ensures compatibility with a broad range of document management solution. This standardization facilitates interoperability and simplifies the integration process for organizations. 
• OAuth2 Compliance: At the very heart of the integration are two modern OAuth2 extensions to ensure strict adherence to the eIDAS ETSI and CEN standards for end-to-end sole control.  RFC 9396 (OAuth Rich Authorization Request) provides a secure standards-based mechanism by which the signer can provide intent to sign based on credentialID and Data To Be Signed Representation (DTBSR), and when used in conjunction with RFC 9068, the resulting issued OAuth token in JSON Web Token (JWT) format provides the requirements of Signature Activation Data (SAD).  Together, these two extensions to OAuth provide demonstrable compliance with the requirements of SCAL2 
•  Straightforward integration and operation: Integration between KeyClock and Signer is straightforward and Cryptomathic provides full guidance and documentation to make it easy for existing Keycloak providers to extend their solutions with minimal effort. In addition, both solutions support containerization which facilitates deployment and continuous integration/continuous deployment (CI/CD). This ensures that the integration can be seamlessly incorporated into modern development workflows. 

Benefits for Keycloak Providers and EUDI Wallet Providers 

• For Keycloak Providers: Existing Keycloak providers can now extend the scope of their solutions with remote signing and sealing functionality, fully compliant with the eIDAS 2 regulation requirements for SCAL2 using SAD. This enhancement allows providers to offer a more comprehensive and secure identity management solution to their clients. 

• For EUDI Wallet Providers: EUDI wallet providers seeking a flexible solution for enabling remote signature flows associated with the various use cases will find this integration particularly beneficial since Signer complements the reference online and offline EUDI wallet identity mechanisms with a robust and standards-based Intent to sign (Signature Authorization) mechanism. 

 Conclusion 

Cryptomathic’s integration of Signer 6 with Keycloak marks a significant milestone in the evolution of digital identity management. By leveraging industry-leading standards and technologies, we are committed to providing our clients with secure, compliant, and user-friendly solutions. This implementation not only enhances the capabilities of existing Keycloak providers but also offers EUDI wallet providers a powerful solution for leveraging existing identity infrastructures to enable remote qualified electronic signatures.

 Stay tuned and get in touch for more updates as we continue to innovate and enhance our offerings.