Pricing About Documentation Login Free Trial

Keycloak is an open source identity and access management solution. Keycloak ensures high performance with clustering options for scalability and availability, making it a lightweight, fast, and scalable choice for secure application and service adaptation, all customizable through code and tailored password policies. It offers Single-Sign On (SSO) for authentication, user federation supporting LDAP and Active Directory, and identity brokering for easy integration with social networks and existing OpenID Connect or SAML 2.0 identity providers.

Sign In

On your first visit to the site, you will be presented with the login/signup screen.

Keycloak Sign In screen

When your instance is first created, an account is created for you with the email you chose. You can get the password for this account by going to your Elestio dashboard and clicking on the "Show Password" button.

Enter your email, name and password and click the "Sign In" button

Creating Client

To get started, you will need to create a client in Keycloak. Clients are applications or services that can request Keycloak to authenticate a user. They also have the ability to request identity information or an access token to securely interact with other services on the network that are protected by Keycloak. Clients play a vital role in ensuring the security of applications and providing a seamless single sign-on experience.

Keycloak creating client

Creating Client Scopes

When a client is registered, you must define protocol mappers and role scope mappings for that client. It is often useful to store a client scope, to make creating new clients easier by sharing some common settings. This is also useful for requesting some claims or roles to be conditionally based on the value of scope parameter. Keycloak provides the concept of a client scope for this.

Keycloak client scopes

Creating Realm Roles

A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.

Keycloak realm roles

Creating Users

Users are individuals who can log into your system. They have attributes such as email, username, address, phone number. Users can be assigned to groups and given specific roles. Add new users to your Keycloak instance by clicking on the "Users" on left side.

Keycloak users

Creating Groups

Groups in Keycloak are used to manage collections of users. Groups can have defined attributes and roles mapped to them. When a user becomes a member of a group, they inherit the attributes and role mappings associated with that group. You can create new groups by heading over to the "Groups" section in the left side menu.

Keycloak groups


Keycloak keeps track of user sessions when they log into realms. Within each session, Keycloak remembers the clients that the user has visited. Realm administrators have the ability to perform various actions on user sessions, such as viewing login statistics, monitoring active users and their login locations, logging out users, revoking tokens, and configuring token and session timeouts. You get to checkout the sessions by clicking on the "Sessions" on left side.

Keycloak sessions


Keycloak allows you to track and monitor all user and admin related events. These events include successful logins, incorrect password attempts, and user account updates. By default, Keycloak does not store or display events in the Admin Console, except for error events which are logged in the Admin Console and server's log file.

Keycloak events

Realm Settings

Realm settings in Keycloak allow you to control various options for users, applications, roles, and groups within a specific realm. By configuring realms through the Admin Console, you can manage objects such as users, applications, roles, and groups. Each user belongs to and logs into a realm, and a Keycloak deployment can support multiple realms stored in the database.

Keycloak realm settings


Authentication settings include flows and policies. An authentication flow is a container of authentications, screens, and actions, used during log in, registration, and other Keycloak workflows. Keycloak provides several built-in flows that cannot be modified, but their requirements can be adjusted to meet specific needs. Additionally, Keycloak offers password policies that can be configured through the Admin Console to enforce security measures for passwords.

Keycloak authentication

Identity Providers

Keycloak serves as an identity provider (IDP), which means it can authenticate users. Get list of all the identity providers by clicking on the "Identity Providers" on left side menu. Each provider provides a way to authenticate users. Keycloak comes with a variety of built-in identity providers, but you can also add custom providers.

Keycloak identity providers

User Federation

Keycloak has the capability to store and manage user information. In many cases, organizations already have LDAP or Active Directory services that store user credentials. Keycloak can be configured to validate credentials from these external sources and retrieve identity information. You can click on the "User Federation" on left side menu to add your preferred provider.

Keycloak user federation