Skill

keycloak-administration

Guides Keycloak IAM administration: realm/user management, client configuration, authentication flows with OIDC/SAML, authorization policies, RBAC, security hardening, and troubleshooting.

Docker

Bash

PostgreSQL

authentication

security

npx claudepluginhub nikiforovall/keycloak-authorization-services-dotnet --plugin keycloak-authservices

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Choose your task and load the appropriate reference:

Supporting Assets

references/authentication-sso.mdreferences/authorization-rbac.mdreferences/client-configuration.mdreferences/ha-scalability.mdreferences/integration-examples.mdreferences/realm-management.mdreferences/security-hardening.mdreferences/troubleshooting.mdreferences/user-federation.md

SKILL.md

Similar Skills

keycloak-admin

Administers Keycloak via REST API: creates/manages realms, clients, users with custom attributes, roles, groups; configures OAuth 2.0, themes, tokens, and identity providers. For auth setups and troubleshooting.

9 tools

lobbi-platform-manager

harness-keycloak-auth

Integrates Keycloak OIDC with Harness pipelines for EKS IRSA service account authentication and realm-as-code configurations.

8 tools

aws-eks-helm-keycloak

Keycloak Theming Skill

Guides custom Keycloak theme implementation for multi-tenant realms with tenant-specific branding, logos, colors, CSS/JS assets, and FTL login templates.

frontend-design-system

Stats

Stars667

Forks131

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Keycloak Administration

Quick Start

Choose your task and load the appropriate reference:

New Installation → Continue below
Realm & User Management → Load realm-management.md
Client Configuration → Load client-configuration.md
Authentication & SSO → Load authentication-sso.md
Authorization & RBAC → Load authorization-rbac.md
User Federation (LDAP/AD) → Load user-federation.md
Security Hardening → Load security-hardening.md
High Availability & Scaling → Load ha-scalability.md
Troubleshooting → Load troubleshooting.md
Integration Examples → Load integration-examples.md

Installation & Setup

Docker (Recommended for Development)

docker run -d \
  --name keycloak \
  -p 8080:8080 \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=admin \
  quay.io/keycloak/keycloak:latest \
  start-dev

Production Mode

bin/kc.sh build --db=postgres

export KC_DB=postgres
export KC_DB_URL=jdbc:postgresql://localhost/keycloak
export KC_DB_USERNAME=keycloak
export KC_DB_PASSWORD=password
export KC_HOSTNAME=keycloak.example.com

bin/kc.sh start --optimized

Initial Configuration Checklist

Admin account — strong password (12+ chars)
Hostname — configure KC_HOSTNAME for production
SSL/TLS — required for production
Database — PostgreSQL recommended
SMTP — for email verification and password reset

Core Concepts

Concept	Description
Realm	Tenant boundary. Master realm for admin only; create app realms per environment
Client	Application registration. OIDC (modern) or SAML (legacy). Confidential (server) or Public (SPA/mobile)
User/Group	Identity with credentials. Groups for hierarchical organization
Realm Role	Global permission across all clients in a realm
Client Role	Permission scoped to a single client
Composite Role	Role that inherits other roles

Common Tasks

Configure SSO for an Application

Create OIDC client with your app's client-id
Set Valid Redirect URIs (exact URLs, avoid wildcards)
Set Client Authentication: On (confidential) or Off (public with PKCE)
Get discovery endpoint: {AuthServerUrl}/realms/{realm}/.well-known/openid-configuration
Integrate with your app — see client-configuration.md

Enable MFA

Authentication → Flows → Duplicate Browser flow
Add OTP or WebAuthn authenticator
Set as Required or Conditional
Bind custom flow to realm

Connect LDAP/Active Directory

User Federation → Add LDAP Provider
Configure: URL, Bind DN, Search Base (ou=users,dc=example,dc=com)
Set up attribute mappers
Test connection, then sync

Essential CLI Commands

# Admin CLI setup
bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin

# Realm operations
bin/kcadm.sh create realms -s realm=my-realm -s enabled=true
bin/kcadm.sh get realms/my-realm

# User operations
bin/kcadm.sh create users -r my-realm -s username=john -s enabled=true
bin/kcadm.sh set-password -r my-realm --username john --new-password secret

# Export/Import
bin/kc.sh export --dir /backup --realm my-realm
bin/kc.sh import --dir /backup

Best Practices

Realm separation: one realm per app/environment, never use Master for apps
Token lifespans: access tokens 5–15 min, refresh tokens based on use case
Public clients: always require PKCE
Roles: use groups for assignment, roles for permissions, composite roles for aggregation
Production security: SSL/TLS, brute force protection, MFA for admins, event logging

Reference Documentation

realm-management.md — Realms, users, groups, attributes, sessions
client-configuration.md — OIDC/SAML clients, scopes, mappers, service accounts
authentication-sso.md — Auth flows, MFA, identity brokering, social login
authorization-rbac.md — Roles, fine-grained authorization (UMA), policies, permissions
user-federation.md — LDAP/AD integration, sync, mappers, custom providers
security-hardening.md — Password policies, brute force, TLS, audit, production checklist
ha-scalability.md — Clustering, database tuning, caching, monitoring, backup/DR
troubleshooting.md — Login failures, token issues, LDAP sync, session problems, logging
integration-examples.md — .NET, Spring Boot, Node.js, token validation