Digital identities for your sovereign cloud with Keycloak

Transcript

1. Digital identities for sovereign cloud with Keycloak Alexander Schwartz |

   Principal Software Engineer | IBM Red Hat Summit | Atlanta (US) | 2026-05-11

2. Pillars of digital sovereingty 🗂 Data ⚙ Applications 🛂 Identities

3. None

4. Full Control over: • Confidentiality • Integrity • Availability •

   APIs and functionality • Rules • Audit logs Self-Hosting Identity and Access Management Full responsibility for: • Confidentiality • Integrity • Availability • APIs and functionality • Rules • Audit logs

5. Keycloak is an Open Source Identity und Access Management System

   🎂 First Commit 2013-07-02 🏆 Cloud Native Computing Foundation Incubating project since April 2023 📜 Apache License, Version 2.0 ⭐ 34k GitHub stars

6. Keycloak standalone Login Request Verify token < Token > API

   Cloud Services

7. Day 1: Single-Sign-On is cool! • Users need to remember

   only one password • Authenticate only once per day • Add second factor for authentication for security • Theme the frontend to match your needs Makes sense already for a single application!

8. First Contact

9. Enable Admins Manage Keycloak via web UI, REST and CLI

10. Enable Users Manage account details, password and second factor.

11. Day 2: Become flexible in your setup • Integrate LDAP

    and Kerberos • Brokerage to existing SAML services • Brokerage to existing OIDC services • Integrate existing custom stores • SCIM integration (experimental) Reuse the existing user infrastructure!

12. Connecting LDAP LDAP • Read-Only? • Import users? • Caching?

    • Use for authentication? • Synchronize? • Kerberos?

13. Connecting to other Identity Providers SAML OpenID Connect OAuth 2.0

    SAML OpenID Connect OAuth 2.0 • Which claims und attributes? • Allow local credentials?

14. Day 3: Eliminate daily churn • User required actions •

    User password recovery (even when using LDAP) • Self-registration for users • User data self-management Resolve the need for calls and tickets!

15. Case Studies Hitachi Ltd. used Keycloak to make financial grade

    security easier OpenTalk achieves versatile and compliant user authentication with Keycloak BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak https://www.keycloak.org/case-studies

16. New: Better security for humans and machines 🦎 Standard Token

    Exchange Exact and secure tokens with the right audience/scopes. 🚪 JWT Authorization Grant Authenticate locally, then use trust relationships. 🔑 2FA recovery codes, Passkeys, FAPI 2.0, DPoP, MCP Tightened security in all login flows. ⚙ Workflows Automate all stages of the user lifecycle management.

17. New: Automation and better tools for admins ⛱ Fine Grained

    Admin Permissions Delegate administration access to resource owners. ♻ Secure comms, split-brain detection, rolling updates Making an administrator’s life simpler. 🔗 Federated Client Authentication Managing credentials of clients across the infrastructure. 📈 Observability Guide, Dashboards, OpenTelemetry Happy users with great monitoring and analysis tools.

18. Outlook* 🤖 More AI features and standards CIMD, MCP, …

    🗂 SCIM Integrating with other IdPs and pre-provision users 🔒 Post-Quantum Cryptography Support it for TLS connections, tokens and credentials 🔌 Client v2 API and Custom Resources for Clients Declarative provisioning of clients * subject to change

19. 2025 and 2026 added a lot of 󰭈 security enhancements,

    let’ use them! Subscribe 🔔 to each each issue and try out our nightly releases! 🔎

20. • Keycloak https://www.keycloak.org/ • Case Studies https://www.keycloak.org/case-studies • KeycloakCon +

    KubeCon Japan (July 2026) https://events.linuxfoundation.org/kubecon-cloudnativecon-japan/ • KeyConf Prague (October 2027) https://keyconf.dev/ Links Sides:

21. Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1.de @[email protected] Kontakt