Marketplace · Identity

Deploy Keycloak in one click.

The open-source identity and access management server. We review it, secure it and run it in production for you. Pick a region in Switzerland, France or Germany, or bring your own machines through a secure tunnel. We keep it patched, backed up and online. Your users just log in.

See how it works ↓

★ 34k stars · Apache-2.0 · Java · tested versions · shipped with a runbook

LicenseApache-2.0 Stars34,257 LanguageJava CategoryIdentity Source github.com/keycloak/keycloak ↗ Website www.keycloak.org ↗

What is Keycloak?

The identity layer for the rest of the stack: single sign-on for every other app in the catalog.

Keycloak is an open-source identity and access management server and a CNCF project. It speaks OpenID Connect, OAuth 2.0 and SAML 2.0, federates users from existing LDAP and Active Directory directories, brokers logins from external identity providers, and gives you an admin console for realms, roles and sessions. Put it in front of your applications and every one of them gets single sign-on from the same place.

Identity data is the keys to everything: credentials, sessions, group memberships, the record of who can touch what. Hand it to a SaaS identity provider and access to your entire stack routes through someone else’s cloud. Self-hosting Keycloak keeps the master keys on infrastructure you control, in the country you choose.

The catch: self-hosting means someone has to run it, and this is the one service that cannot go down, because when the login layer fails, everything behind it does. A database to operate, an internet-facing login page to patch fast, realm configuration to back up, upgrades to test against every connected app. That someone is usually you, at the worst possible time.

Keycloak, without the ops.

Everything below is what you’d otherwise build and babysit yourself.

Residency

Your identities stay where you put them.

Deploy to ch-zh1 (Zurich), fr-pa1 (Paris) or de-fr1 (Frankfurt). User accounts, credentials and sessions stay in the region you choose, under Swiss or EU law and in line with GDPR.

Secured

Reviewed before it ships.

Our Keycloak package is reviewed, secured and locked to versions we have tested, and it ships with a runbook. We track CVEs upstream and patch them fast. This is the one app where that matters most.

SSO layer

One login for everything else.

Front every app in the catalog with Keycloak over OIDC or SAML: Grafana, Nextcloud, Mattermost, Open WebUI. One directory, one login, one place to revoke access when someone leaves.

Managed

TLS, upgrades, scaling: handled.

Certificates issued and renewed, rolling zero-downtime updates, instant rollback, health checks. Keycloak moves fast upstream; we keep you current without breaking a single login flow.

Backups

Backups you can actually restore.

Offsite backups of your realms, users and configuration. We run restore drills, not just snapshots. Losing chat history is painful; losing your identity provider is existential.

No lock-in

Leave whenever you want.

Keycloak is open source and so is your exit: your realms, users and configuration leave with you, in usable form. Pilae runs it for you. It never owns your identities.

Self-hosting Keycloak: DIY vs Pilae.

Both paths end with Keycloak in production. Only one of them ends there this afternoon.

Self-hosted DIY On Pilae
Initial setup Docker, reverse proxy, DNS, auth. An afternoon if nothing fights back One click, live in minutes
TLS certificates Issue, wire up, remember to renew Issued and renewed automatically
Upgrades Frequent releases to track, test and apply yourself Tested versions, rolled out with instant rollback
Security patching You watch the CVE feed Upstream tracked, CVEs prioritized
Backups cron + object storage + hope Offsite, verified with restore drills
Data residency Wherever your VPS happens to be You pick: Zurich, Paris, Frankfurt, or your own racks
3 a.m. failures Yours Ours
SSO across your stack Stand up the IdP, then wire every app to it yourself Deploy once, front every catalog app with OIDC or SAML
Login-layer downtime A single point of failure you babysit Health checks, rolling updates, instant rollback

From catalog to production in three steps.

No servers to set up, no configuration to write. The platform work is already done.

01

Pick Keycloak.

Find it in the catalog: reviewed, secured, locked to tested versions, runbook included.

02

Choose where it runs.

A Pilae region in Switzerland, France or Germany, or your own machine connected through a secure tunnel. Same console either way.

03

Deploy and wire up your apps.

One click to production with TLS and backups from day one. Create a realm, connect your apps over OIDC or SAML, done.

Identity data is the keys to everything. Keep it close.

Every Keycloak deployment is pinned to the region you choose. Encryption, dedicated VLANs, and the option to hold your own encryption keys for regulated workloads. Or skip our regions entirely and run it on-prem.

ch-zh1 ready
fr-pa1 ready
de-fr1 ready

Deploying Keycloak: the questions we get.

If yours isn’t here, reach out and we’ll answer it, usually the same day.

What’s the easiest way to self-host Keycloak?

Deploying it through a managed platform. On Pilae you pick Keycloak from the catalog, choose a region, and click deploy. TLS, backups, patching and upgrades are handled for you from the first minute. You get self-hosting’s control without its ops.

Does Keycloak support SAML and OIDC?

Yes. Keycloak implements OpenID Connect, OAuth 2.0 and SAML 2.0, so it covers both modern apps and the enterprise software that still expects SAML. One deployment speaks to all of them.

Can Keycloak connect to LDAP or Active Directory?

Yes. User federation is built in: Keycloak can authenticate against your existing LDAP or Active Directory, so you get single sign-on for new apps without migrating your directory.

Can I use Keycloak as SSO for my other self-hosted apps?

That’s the point. Deploy Keycloak next to the rest of your stack and put OIDC or SAML in front of Grafana, Nextcloud, Mattermost, Open WebUI and the rest of the catalog. Same console, same one-click deploys, one login for the team.

Where does my Keycloak identity data live?

In the region you choose: Zurich, Paris or Frankfurt, or on your own infrastructure through a secure tunnel. Accounts, credentials and sessions stay there, encrypted. For regulated workloads you can hold your own encryption keys.

Can I move my Keycloak deployment off Pilae later?

Yes, and that’s by design. Keycloak is open source and your data exits with you in usable form: realms, users, configuration. No proprietary formats, no lock-in.

Runs well next to.

Build your stack from the same catalog. One console, one click each.

Keycloak, without the ops.

Deploy it in minutes, keep your data in the country you choose, and leave whenever you want. Your data goes with you.

Explore the catalog →