Keycloak Identity & Access

What Keycloak is and why it matters

Keycloak is an open source identity and access management (IAM) platform originally developed by Red Hat and now maintained by a thriving community under the Cloud Native Computing Foundation (CNCF). It provides everything an organisation needs to secure its applications without building identity infrastructure from scratch: single sign-on (SSO), identity brokering, user federation, fine-grained authorisation and multi-factor authentication.

What makes Keycloak exceptional is its breadth. It implements every major identity standard - OpenID Connect, OAuth 2.0, SAML 2.0 - meaning it integrates with virtually any application, whether a modern React frontend, a legacy Java enterprise application, a mobile app or a third-party SaaS product. Your developers add a few lines of configuration and Keycloak handles the rest: login screens, token issuance, session management, password policies, account recovery and brute force protection.

Keycloak is deployed in production by government agencies, financial institutions, healthcare organisations and enterprises worldwide. It is the identity layer behind systems that serve millions of users, with the resilience and security posture to match.

Directory federation - Entra ID, Google Workspace and beyond

Most organisations already have users in one or more directories. Keycloak does not replace these - it federates with them. We configure Keycloak to connect to your existing identity providers so users continue to authenticate with the credentials they already have.

Microsoft Entra ID (Azure AD) - federate with your existing Microsoft tenant so employees use their corporate Microsoft credentials to access every application, not just Microsoft 365. Keycloak handles the OpenID Connect or SAML handshake, maps claims and groups from Entra ID to application roles, and provides a consistent login experience regardless of which application the user is accessing.

Google Workspace - for organisations on Google, Keycloak integrates as an identity broker, allowing users to sign in with their Google accounts while Keycloak applies your own authorisation policies, session controls and MFA requirements on top.

LDAP and Active Directory - Keycloak federates directly with on-premise LDAP directories and Active Directory via LDAPS, synchronising users and groups either on-demand or on a schedule. This means your existing directory remains the source of truth while Keycloak extends its reach to every application.

Social and external identity providers - allow customers or partners to authenticate using GitHub, Facebook, Apple, LinkedIn or any OpenID Connect or SAML provider. Keycloak brokers these identities and maps them into your application's role model.

Single sign-on that actually works

SSO should be invisible. A user logs in once, and every application they access for the rest of their session recognises them without another login prompt. Keycloak achieves this through standards-based session management with configurable timeouts, idle detection, and forced re-authentication for sensitive operations.

For organisations with a mix of modern and legacy applications, this is transformative. Modern apps integrate via OpenID Connect with a few lines of code. Legacy SAML applications connect through Keycloak's built-in SAML adapter. Even applications that only support header-based authentication can be brought into the SSO fold using a reverse proxy. The result is a unified login experience across your entire estate, regardless of the underlying technology.

High availability and resilience

Identity infrastructure is not optional. If Keycloak goes down, nobody can log in to anything. We architect every Keycloak deployment for high availability from the outset.

Clustered deployment - Keycloak runs as a cluster with multiple nodes sharing session state through distributed caching (Infinispan). If a node fails, active sessions are preserved and users experience no interruption. Load balancers distribute traffic across nodes with sticky sessions and health check probes.

Database resilience - the identity database runs on PostgreSQL with streaming replication and automatic failover. User data, realm configurations, sessions and audit logs are protected against hardware failure and data corruption.

Cross-site resilience - for organisations requiring geographic redundancy, we deploy Keycloak across multiple sites with database replication and cache synchronisation, providing disaster recovery capabilities that meet even the most demanding RPO and RTO requirements.

Automated backup and recovery - realm exports, database snapshots and configuration-as-code ensure that a complete Keycloak environment can be rebuilt from scratch in minutes, not hours.

Fine-grained authorisation

Authentication answers "who are you?" - authorisation answers "what are you allowed to do?" Keycloak provides both.

Beyond simple role-based access control (RBAC), Keycloak supports attribute-based policies, time-based access, resource-level permissions and custom policy evaluation. A user might have access to a document management system but only be allowed to view documents in their own department, only during business hours, and only if their account has MFA enabled. Keycloak evaluates all of these conditions at the point of access.

Hosted and managed by Node - deployed anywhere

We provide Keycloak as a fully managed service. We handle deployment, configuration, upgrades, monitoring, backup and 24/7 incident response. Your team consumes identity as a service through standard protocols without managing the underlying infrastructure.

Our infrastructure - hosted on Node's own high-availability platform with SLA-backed uptime, proactive monitoring and regular security patching.

AWS, Azure or Google Cloud - deployed into your cloud tenancy using infrastructure-as-code (Terraform, Helm), running on managed Kubernetes with cloud-native database services.

On-premise - deployed onto your own hardware or virtualisation platform for organisations with data residency or air-gap requirements.

Regardless of where it runs, we manage it. Same tooling, same monitoring, same support - your deployment model is your choice.

Keycloak in your technology stack

Keycloak integrates naturally with the rest of Node's platform. Apache APISIX validates tokens issued by Keycloak at the API gateway layer, enforcing authentication before requests reach your services. Airflow workflows authenticate against Keycloak for operator access. Superset dashboards use Keycloak SSO with role-mapped data permissions. The result is a consistent identity layer that spans your entire automation and security infrastructure.