Keycloak

Single-Sign On and Single-Sign Out for browser applications.

OpenID Connect support.

OAuth 2.0 support.

SAML support.

Identity Brokering

Authenticate with external OpenID Connect or SAML Identity Providers. ❓

Social Login

Enable login with Google, GitHub, Facebook, Twitter, and other social networks.

User Federation

Sync users from LDAP and Active Directory servers. ⭐

Kerberos bridge

Automatically authenticate users that are logged-in to a Kerberos server. ⭐

Admin Console

management of users, roles, role mappings, clients and configuration. ⭐

Account Management

allows users to centrally manage their account. ❓

Theme support

Customize all user facing pages to integrate with your applications and branding.

Two-factor Authentication

❓Support for TOTP/HOTP via Google Authenticator or FreeOTP.

Login flows

❓optional user self-registration, recover password, verify email, require password update, etc.

Session management

Admins and users themselves can view and manage user sessions. ⭐

Token mappers

❓Map user attributes, roles, etc. how you want into tokens and statements.

Not-before revocation policies per realm, application and user.

CORS support

⭐ Client adapters have built-in support for CORS.

Service Provider Interfaces (SPI)

A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers and many more.

Client adapters

⭐ for JavaScript applications, WildFly, JBoss EAP, Tomcat, Jetty, Spring, etc.

Supports any platform/language that has an OpenID Connect Relying Party library or SAML 2.0 Service Provider library.

click to edit

Access control mechanisms

Attribute-based access control (ABAC) ⭐

Role-based access control (RBAC)

User-based access control (UBAC)

Context-based access control (CBAC)

Rule-based access control (Using JavaScript)

Time-based access control

Support for custom access control mechanisms (ACMs) through a Service Provider Interface (SPI)