Keycloak
Single-Sign On and Single-Sign Out for browser applications.
OpenID Connect support.
OAuth 2.0 support.
SAML support.
Identity Brokering
Authenticate with external OpenID Connect or SAML Identity Providers. ❓
Social Login
Enable login with Google, GitHub, Facebook, Twitter, and other social networks.
User Federation
Sync users from LDAP and Active Directory servers. ⭐
Kerberos bridge
Automatically authenticate users that are logged-in to a Kerberos server. ⭐
Admin Console
management of users, roles, role mappings, clients and configuration. ⭐
Account Management
allows users to centrally manage their account. ❓
Theme support
Customize all user facing pages to integrate with your applications and branding.
Two-factor Authentication
❓Support for TOTP/HOTP via Google Authenticator or FreeOTP.
Login flows
❓optional user self-registration, recover password, verify email, require password update, etc.
Session management
Admins and users themselves can view and manage user sessions. ⭐
Token mappers
❓Map user attributes, roles, etc. how you want into tokens and statements.
Not-before revocation policies per realm, application and user.
CORS support
⭐ Client adapters have built-in support for CORS.
Service Provider Interfaces (SPI)
A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers and many more.
Client adapters
⭐ for JavaScript applications, WildFly, JBoss EAP, Tomcat, Jetty, Spring, etc.
Supports any platform/language that has an OpenID Connect Relying Party library or SAML 2.0 Service Provider library.
click to edit
Access control mechanisms
Attribute-based access control (ABAC) ⭐
Role-based access control (RBAC)
User-based access control (UBAC)
Context-based access control (CBAC)
Rule-based access control (Using JavaScript)
Time-based access control
Support for custom access control mechanisms (ACMs) through a Service Provider Interface (SPI)