Features

Keycloak provides the following features:

  • Single-Sign On and Single-Sign Out for browser applications.

  • OpenID Connect support.

  • OAuth 2.0 support.

  • SAML support.

  • Identity Brokering - Authenticate with external OpenID Connect or SAML Identity Providers.

  • Social Login - Enable login with Google, GitHub, Facebook, Twitter, and other social networks.

  • User Federation - Sync users from LDAP and Active Directory servers.

  • Kerberos bridge - Automatically authenticate users that are logged-in to a Kerberos server.

  • Admin Console for central management of users, roles, role mappings, clients and configuration.

  • Account Management console that allows users to centrally manage their account.

  • Theme support - Customize all user facing pages to integrate with your applications and branding.

  • Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP.

  • Login flows - optional user self-registration, recover password, verify email, require password update, etc.

  • Session management - Admins and users themselves can view and manage user sessions.

  • Token mappers - Map user attributes, roles, etc. how you want into tokens and statements.

  • Not-before revocation policies per realm, application and user.

  • CORS support - Client adapters have built-in support for CORS.

  • Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers and many more.

  • Client adapters for JavaScript applications, WildFly, JBoss EAP, Tomcat, Jetty, Spring, etc.

  • Supports any platform/language that has an OpenID Connect Relying Party library or SAML 2.0 Service Provider library.