Deploy Keycloak on Ubuntu with Docker — the enterprise-grade open-source identity and access management platform with Single Sign-On, OAuth2, OpenID Connect, SAML 2.0, MFA, and user federation.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/keycloak/keycloak-ubuntu.sh
chmod +x keycloak-ubuntu.sh
sudo bash keycloak-ubuntu.shThe script installs Docker and starts Keycloak with a PostgreSQL database backend. Keycloak will be available on port 8080. The script outputs the admin credentials — save them immediately.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/keycloak/keycloak-ubuntu.sh
chmod +x keycloak-ubuntu.sh
sudo bash keycloak-ubuntu.shOpen your browser and navigate to the Keycloak admin console. Log in with the admin credentials from the script output:
http://<your-server-ip>:8080/adminIn the admin console, click the realm dropdown (top left) and select "Create Realm". Give it a name (e.g. "myrealm") and enable it. Under Users, create your first user — set a username, email, and temporary password. Under Credentials, set a permanent password. Realms are isolated namespaces for users, roles, and applications.
Go to Clients → Create client. Select OpenID Connect, enter your application's client ID, and configure the redirect URIs (the URL Keycloak sends users back to after login). Save the client secret from the Credentials tab. Configure your application's OAuth2/OIDC library with the Keycloak realm URL, client ID, and secret to enable SSO login for your app.
| Port | Purpose |
|---|---|
| 8080 | Keycloak Admin Console & Auth Endpoints (HTTP) |
| 8443 | Keycloak HTTPS (when TLS is enabled) |
| 5432 | PostgreSQL database (internal) |
Keycloak is a production-grade open-source Identity and Access Management (IAM) solution developed by Red Hat. It provides Single Sign-On (SSO), meaning users log in once and get access to multiple applications without re-entering credentials. Keycloak supports OAuth2, OpenID Connect (OIDC), and SAML 2.0 — the same standards used by Google, GitHub, and enterprise identity providers. It includes a full user database, social login integration, multi-factor authentication (TOTP/WebAuthn), brute-force protection, and a powerful admin console. Keycloak is trusted by banks, governments, and large enterprises for securing thousands of applications.
Keycloak eliminates the need to build authentication into every application separately. Instead of managing passwords, sessions, and OAuth flows in each service, you delegate all authentication to Keycloak. This reduces security risk (one hardened auth system instead of many), simplifies user management (one place to create/disable users across all apps), and enables enterprise features like LDAP/Active Directory sync out of the box. It's the professional standard for self-hosted identity management.
Open port 8080 (HTTP) for internal access or put Keycloak behind a reverse proxy on port 443. Port 8443 handles HTTPS if configured with a keystore. Port 5432 (PostgreSQL) should never be exposed — it's internal to the Docker network only.
For simpler use cases, Authentik offers a more modern UI and easier setup. Authelia is a lightweight two-factor authentication proxy without the full IAM features. Casdoor is newer and more developer-friendly. For enterprise scale, FreeIPA combines LDAP, Kerberos, and DNS management. Keycloak remains the most feature-complete open-source IAM platform.
Avoid Keycloak for simple single-application deployments — it's heavyweight for one app. If you only need basic user authentication for a small web app, a library like Passport.js or Django's built-in auth is simpler. Also avoid it if your team lacks expertise in OAuth2/OIDC concepts — misconfigured identity providers create serious security vulnerabilities.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
A realm is an isolated namespace containing its own users, roles, and clients — think of it as a separate 'tenant'. A client is an application registered within that realm that can authenticate users. For example, you might have a 'company' realm with clients for Gitea, Rocket.Chat, and Grafana. Users in the realm can log into all three clients with the same credentials.
Yes. Keycloak supports LDAP and Active Directory synchronization via User Federation. Go to User Federation → Add provider → LDAP. Configure the LDAP server URL, bind credentials, and user search base. Keycloak can sync user accounts, groups, and attributes on demand or periodically. Users can then log into Keycloak-protected apps with their AD credentials.
In Grafana's configuration (grafana.ini), enable the OAuth generic provider pointing to Keycloak's OIDC endpoints. Set the client ID, client secret, and scopes. Keycloak provides a discovery URL at /realms/YOUR_REALM/.well-known/openid-configuration — use this in Grafana's auth.generic_oauth section. Users will log in via Keycloak and be mapped to Grafana roles based on Keycloak groups.
Keycloak issues three types of tokens: an access token (short-lived JWT used by apps to verify identity and authorize API requests), a refresh token (longer-lived token used to get new access tokens without re-login), and an ID token (contains user profile information for the client app). All tokens are JWTs signed by Keycloak's private key.
Yes. Keycloak supports TOTP (Google Authenticator, Authy), WebAuthn (hardware security keys like YubiKey), and SMS OTP via custom providers. Enable MFA in Authentication → Policies → set OTP policy to Required. You can make MFA optional (users choose) or mandatory (required for all users). Conditional MFA based on client, IP, or role is also supported.
SSO session lifetime is configured in Realm Settings → Sessions. The SSO Session Max (default 10 hours) is how long a user stays logged in without activity. The Access Token Lifespan (default 1 minute in newer versions, 5 minutes in older) is how long issued tokens are valid. When the access token expires, the client uses the refresh token to get a new one transparently.
Yes. Keycloak supports clustering using Infinispan for distributed session and cache management. Multiple Keycloak nodes share the PostgreSQL database and communicate via multicast or JDBC_PING discovery. Put a load balancer (HAProxy, Nginx, Caddy) in front of the cluster. All nodes must be configured with the same cluster configuration and share the same database.
Keycloak is older, more battle-tested, and more feature-complete — it's the industry standard with excellent SAML support and a huge ecosystem. Authentik is newer with a more modern UI, easier initial setup, and better documentation for common integrations. Keycloak is better for complex enterprise requirements (SAML federations, fine-grained authorization). Authentik is better for teams that want quicker onboarding.