Service Packages
Fixed-price Keycloak implementations with clear scope, timeline, and deliverables. No hourly billing surprises.
Keycloak SSO Migration: Auth0, Okta & Custom Auth
Migrate from Auth0, Okta, or a homegrown auth system. Or add SSO to existing Spring Boot, React, Next.js, or Angular apps without rebuilding them.
- OIDC / SAML integration per application
- User & group directory migration
- Auth0 / Okta decommission guide
- +3 more
Multi-Tenancy SaaS IAM
Every enterprise customer has their own IDP. We configure Keycloak to federate Okta, Azure AD, Auth0, and SAML providers. One endpoint for your app. Zero per-customer auth work for your team.
- Keycloak multi-tenant setup: Organizations + domain-based routing
- Per-tenant IDP federation: Okta, Azure AD, Auth0, SAML 2.0, OIDC
- SSO integration for Spring Boot, Next.js, Angular, Django, Flask, and PHP
- +2 more
Keycloak Production HA Cluster on Kubernetes
K8s deployment with Infinispan caching, PostgreSQL 16, blue-green rollouts, and full observability. Targets 99.9%+ availability.
- K8s manifests / Helm charts
- PostgreSQL 16 HA (primary-replica)
- Infinispan distributed session cache
- +3 more
Certificate-Based Authentication
Map X.509 client certificates to Keycloak users for device-bound, passwordless Single Sign-On (SSO). Managed devices log in without friction. Unmanaged devices are hard-blocked before they reach a login page.
- X.509 certificate-to-user mapper (Subject DN / Subject Alternative Name)
- Mutual TLS (mTLS) termination config (Nginx / HAProxy)
- Certificate revocation via OCSP and CRL
- +3 more
CIAM Foundation & Federation
End-to-end identity foundation: passkeys, configurable MFA flows, federated brokering across SAML/OIDC providers, custom branded UI, and compliance audit logging.
- Complete IAM architecture design
- Passkeys + configurable MFA flows
- Federated identity brokering (SAML / OIDC)
- +3 more
Custom Auth SPI — Passwordless SMS OTP & Push Login
Keycloak Authentication SPIs for passwordless e-commerce login: customers check out with a phone number and SMS One-Time Password (OTP), while returning mobile users get one-tap push approval.
- SMS OTP passwordless login SPI
- Push notification login SPI
- Passwordless authentication flow configuration
- +3 more
Custom SPI & SIEM Integration
Bespoke event listener SPIs, protocol mappers for custom token claims, Kafka event streaming, SIEM forwarding, and full Terraform IaC for your Keycloak realm.
- Custom event listener SPIs
- Protocol mappers (custom token claims)
- Kafka event streaming
- +3 more
Custom Branding & Login UI
Pixel-perfect custom login, registration, and account pages that match your product's design system — delivered as FreeMarker themes deployable per realm.
- Custom FreeMarker login theme
- Registration & forgot-password pages
- Account management page
- +3 more
Social Login & CIAM Setup
Google, Apple, GitHub, Facebook, and LinkedIn identity providers wired into Keycloak — with self-registration, email verification, account linking, and consent management.
- Social IdP config (up to 4 providers)
- Self-registration flow
- Email verification
- +3 more
Passkeys & Passwordless Login
Full WebAuthn/FIDO2 implementation with fallback OTP flows, device management UI, and a Keycloak Required Action that nudges existing users to enrol on their next login.
- WebAuthn registration flow
- Passkey login flow
- Fallback TOTP flow
- +3 more
Managed Keycloak-as-a-Service
Ongoing management, monitoring, patching, scaling, and incident response. Your dedicated Keycloak ops team — without the overhead of hiring one.
- Continuous monitoring & alerting
- Security patches within 72 hours of release
- Scaling & performance optimisation
- +3 more
Not sure which package fits? We’ll help you figure it out.