Blog

A Quick Guide to Using Keycloak for Identity and Access Management

Ganesh Akondi

Ganesh Akondi

Updated June 15, 2026
4 minutes

In this blog we will share how to use Keycloak for Identity and Access Management, but first, here are some frequently asked questions about Keycloak.

What is Keycloak?

Keycloak is an open source Identity and Access Management tool with features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console. It simplifies the process of adding authentication to applications and securing services with minimum effort.

By providing a centralized authentication server, Keycloak helps organizations improve security, simplify user management, reduce development effort, and deliver a seamless login experience across enterprise applications.

  • Single Sign-On (SSO) across multiple applications
  • Centralized authentication and authorization
  • Support for OAuth 2.0, OpenID Connect (OIDC), and SAML
  • LDAP and Active Directory integration
  • Social identity provider integration
  • Role-based access control (RBAC)
  • User federation and centralized session management

These capabilities make Keycloak a scalable, secure, and cost-effective solution for managing digital identities and controlling access to modern applications and enterprise systems.

Is Keycloak free?

Yes, Keycloak is free. The Keycloak server is open source and distributed under the Apache License 2.0.

IAM (Identity and Access Management)

IAM, or Identity Management, is a framework for authenticating user identity and managing user privileges. It determines whether users have access to files, networks, and resources while governing how information can be accessed or modified.

Identity Management has four main functions

  1. The pure identity function: Creation, management, and deletion of identities.
  2. User access function: Controlling authentication to services.
  3. Service function: Delivering personalised and role-based services.
  4. Identity Federation: Authentication across organisational boundaries.

Single Sign-On and User Management

Single Sign-On (SSO) allows users to log in once and access multiple related applications without needing separate credentials.

Benefits of using SSO

  1. Reduces credential exposure.
  2. Reduces password fatigue.
  3. Saves time during authentication.
  4. Lowers IT support costs.

Keycloak Authorization

Keycloak Authorization Services provide fine-grained access control through RBAC and ABAC models. Users authenticate through Keycloak rather than individual applications.

Password Policies

Keycloak allows administrators to enforce password length, complexity, history, and expiration requirements.

OTP to Authenticate Users

Keycloak supports OTP authentication using Google Authenticator and FreeOTP.

  1. TOTP (Time-Based OTP)
  2. HOTP (Counter-Based OTP)

Client Certificate

  • Client certificates authenticate clients during SSL/TLS handshakes.
  • Supported by major browsers including Chrome, Firefox, Edge, and Safari.
  • Only clients presenting valid certificates are granted access.

Keycloak Admin Console Working Procedure

A user accesses a protected resource and is redirected to Keycloak for authentication. After login, Keycloak returns tokens used by the application to grant access.

Keycloak With OpenID Connect (OIDC)

OIDC extends OAuth 2.0 by introducing an ID Token containing verified user identity claims.

Requirements

  • Operating Systems: Windows, Docker
  • Tools: Maven
  • SSO: Keycloak
  • Development Environment: Eclipse
  • Programming Language: Java

Integrating Multiple Applications with Keycloak

  1. Add a docker-compose.yml file and save it in your project folder.

Add the Keycloak and Spring Boot dependencies to your project.

Create a SecurityConfig.java file in your project.

Create an application.properties file with your Keycloak configuration.

Open a command prompt and run docker-compose up to start Keycloak.

Open your browser, navigate to the Keycloak URL, and click Administration Console.

The default username and password are both admin. Change these immediately in any non-development environment.

Click Add Realm and give it a name.

Add a new client.

Enter your application's URL in the Valid Redirect URIs field.

Add a role.

Add a user.

Go to the Credentials tab and set a new password.

Go to the Role Mappings tab and assign the role.

Repeat the same steps to configure a second application. Use the same realm, but create a new client, role, and user.

Start both applications.

Navigate to the first application and authenticate through Keycloak.

Open the second application. Because SSO is enabled, you will be logged in automatically.

Enable OTP Authentication

Navigate to Authentication → Flows → Direct Grant and set OTP to Required.

In Browser Flow, also mark OTP as Required.

Configure OTP policy settings such as hash algorithm and validity period.

Install FreeOTP or Google Authenticator and scan the QR code presented after login.


Frequently Asked Questions

Written by

Ganesh Akondi

Director of Engineering

Director of Engineering at coMakeIT

Contact

Let’s discuss how we can support your journey.