Keycloak

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: Web applications, microservices architectures, APIs.
Cloud deployment model: Public cloud

Private cloud

Community cloud

Hybrid cloud
Service constraints: Users must be manually added
System requirements: OpenJDK 17 if running bare metal

User support

Email or online ticketing support: Email or online ticketing
Support response times: Standard support normally within 4 business hours.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: L1: Tier/Level 1(T1/L1) Initial support level responsible for basic customer issues. Gathering information to determine the issue by analysing the symptoms and figuring out the underlying problem. L2: Tier/Level 2(T2/L2) This is a more in-depth technical support level than Tier I containing experienced and more knowledgeable personnel on a particular product or service. L3 Tier/Level 3(T3/L3) Individuals are experts in their fields and are responsible for not only assisting both Tier I and Tier II personnel, but with the research and development of solutions to new or unknown issues. Severity Definitions 1- Critical: Proven Error of the Product in a production environment. The Product Software is unusable, resulting in a critical impact on the operation. No workaround is available. 2- Serious: The Product will operate but due to an Error, its operation is severely restricted. No workaround is available. 3- Moderate: The Product will operate with limitations due to an Error that is not critical to the overall operation. For example, a workaround forces a user and/or a systems operator to use a time consuming procedure to operate the system; or removes a nonessential feature. 4- Due to an Error, the Product can be used with only slight inconvenience.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Consultancy to get the service up and running, upgrades, maintenance.

Documentaton at: https://www.keycloak.org/documentation.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: All data resides inside the customer´s own cloud/onprem account.
End-of-contract process: Keycloak upgrades, consultancy, service maintenance will end.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: Keycloak offers a web-based console that allows administrators to manage realms, users, roles, groups, and permissions. This interface is intuitive and offers extensive customization options for user management.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: None
API: Yes
What users can and can't do using the API: What Users Can Do:

User Management:
Create, update, and delete users.
Manage user attributes, required actions, and user credentials.
List users, search for users by attributes, and get details of specific users.

Role and Group Management:
Create, list, update, and delete roles.
Assign and remove roles to/from users.
Manage groups and group memberships.

Realm Management:
Create and manage multiple realms.
Configure realm settings such as email, themes, and tokens.

Client Management:
Create, update, and delete clients.
Manage client roles and scopes.
Configure client adapters and protocol mappers.

Session Management:
View and manage user sessions.
Log out sessions and manage user consents.

Handling Events and Auditing:
Retrieve login and admin events.
Configure event listeners and event providers.

What Users Can't Do:

Direct User Authentication:
The Admin API does not handle direct user authentication like login; it's meant for backend services managed by server-side applications.

End-User Activities:
It does not directly support activities that end-users typically perform through a client application, such as changing their own password, managing their profile, or initiating password reset flows outside of an admin context.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

HTML
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Login page can be customised, password recovery,

If done through YAML config (Kubernetes) or if standalone from a config file.

System Administrators can customise.

Scaling

Independence of resources: Keycloak is highly available and can be ran across multiple availability zones and regions.

Can be deployed into clients own environment

Analytics

Service usage metrics: Yes
Metrics types: CPU and memory usage
Number of requests made
Packets dropped
Logs
Network rates
Reporting types: API access

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Supplier-defined controls
Penetration testing frequency: Never
Protecting data at rest: Encryption of all physical media
Data sanitisation process: No
Equipment disposal approach: In-house destruction process

Data importing and exporting

Data export approach: Data in the realm can be exported to JSON files
Data export formats: Other
Other data export formats: JSON
Data import formats: Other
Other data import formats: JSON

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

Legacy SSL and TLS (under version 1.2)
Data protection within supplier network: TLS (version 1.2 or above)

Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability: Based on a clients needs and budget. It can be made to be 100% available if required.
Approach to resilience: Highly available over multiple availability zones and regions (AWS)
Fault tolerant
Outage reporting: Any of the listed methods when integrated with a third party monitoring service such as Grafana; otherwise outaqes are not reported.

Identity and authentication

User authentication needed: No
Access restrictions in management interfaces and support channels: Access to management interfaces and support channels is restricted through a combination of username and passwords, multifactor authentication, firewalling, IP restrictions, the use of bastion hosts as appropriate.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: Cyber Essentials
Information security policies and processes: Millersoft Keycloak service follows AWS best practice on security https://aws.amazon.com/security/. We have a range of technical and organisational measures to ensure data security and protection. These cover Access, Roles and Responsibilities, Resource/asset management, Access Control & Authentication, Workstation & Device Security, Network/Communications Security, Back-up, mobile/portable device security, and physical security of our premises. Staff training and awareness is ongoing, staff / contractors must sign confidentiality and privacy statements and read and sign company security policy. Sanctions are applicable for non-compliance. Our reporting structure if a security breach happens or is suspected: staff are trained to and required to immediately flag to DPO and CEO and lock down or isolate the breach where feasible; DPO/CEO will take immediate action including isolation or lock down of affected systems, notification to affected parties, implementation of business continuity and disaster recovery. Risk impact reviews are conducted when a new data category is processed, or system implemented, and security measures adapted as necessary. Category logs, training logs, access logs, and breach logs are maintained, reviewed and signed off periodically by the assigned DPO and CEO.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All code is under version control using git Jenkins is used to build releases. An automated test framework is used for integration testing. Changes are tracked via jira Cloudformation is used to deploy via AWS Marketplace
Vulnerability management type: Undisclosed
Vulnerability management approach: Millersoft Keycloak emphasizes security through proactive measures including regular security audits, community engagement for vulnerability reporting, and prompt release of patches. It employs automated security testing within its CI/CD pipeline, offers detailed security documentation, and maintains a responsible disclosure policy. Organizations are advised to integrate Keycloak with existing security tools for enhanced monitoring and to follow the project's security advisories for timely updates. These practices ensure ongoing prioritization of security, safeguarding user data and maintaining the integrity of the identity management platform.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: All logs go to AWS Cloudwatch for auditing, monitoring and alerting
Incident management type: Supplier-defined controls
Incident management approach: Detection and Reporting: Monitoring systems detect anomalies and issues are reported by users or automated systems.

Response: A dedicated team assesses the incident to determine its impact and urgency.

Analysis and Investigation: The team investigates to identify the root cause and extent of the incident.

Resolution and Recovery: Steps are taken to resolve the issue and restore service to normal operations.

Post-Incident Review: Analyze the incident to improve future response and prevent recurrence.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Social Value

Tackling economic inequality

We believe that our social mission to assist young people into employment is compatible with the guidelines laid out in the Governments Social Value theme of tacking economic inequality (MAC 2.2). Wherever it has the opportunity to do so, Millersoft has and continues to offer placements, internships and employment to technology students from the deprived local area studying in local colleges and universities with whom we hold relations. Our method is to provide initial training and inductions to suitable internees before assigning them to live projects, where they are monitored, supported, challenged, and encouraged by experienced senior consultants and developers. As an organisation that values fresh and radical ideas to find new products and solutions to solve existing problems, internees are also encouraged to share their thoughts and ideas in a stimulating and collaborative environment, and often asked to implement, test and deploy them into real world projects. Regular development reviews are held with internees and progress objectives adapted accordingly. Internees, as is the case with all staff, receive regular training in the latest technologies which may cover Cloud Technologies (staff are trained to be Amazon Web Service Engineers and Architects), data processing tools, database management, project management, security. In most cases internees become full time employees at Millersoft once they graduate and are already well equipped to take on more responsibility and autonomy within the company.

Pricing

Price: £700 a unit a day
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Keycloak

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents