What is IAM / Keycloak?
IAM (identity and access management) covers the administration of digital identities and their access rights — that is, who signs in how and what they are allowed to access. Keycloak is a widely used open-source IAM solution that provides single sign-on, multi-factor authentication and standard protocols such as OpenID Connect and OAuth 2.0.
Also known as: identity and access management · identity management · single sign-on · SSO · OpenID Connect
Where IAM / Keycloak is used
IAM answers two core questions: authentication (who is the user?) and authorization (what may they do?). A central IAM solution bundles sign-in, roles and rights instead of scattering them across many applications. This lowers risks and considerably simplifies administration.
Keycloak is an established open-source platform for this. It offers single sign-on across multiple applications, supports multi-factor authentication and relies on open standards such as OpenID Connect, OAuth 2.0 and SAML. This makes it possible to bring your own applications and third-party systems together under unified identity management.
A practical example
A SaaS platform needs a secure, central sign-in for its users. Keycloak handles authentication and identity management, enforces multi-factor authentication and issues tokens via OpenID Connect. The individual application components therefore do not have to manage login and passwords themselves but trust the central identity solution.
How it relates & how smiit uses it
IAM is the overarching concept, Keycloak a concrete tool for implementing it. IAM forms the basis for multi-factor authentication and is a central building block of IT security, but it is distinct from pure network security, which addresses traffic and segmentation. For Claimity AG, smiit used Keycloak for identity and MFA, anchoring a secure, GDPR-compliant sign-in within the Azure infrastructure.
Common mistakes & misconceptions
- Identity and access management is often equated with mere user administration; it also covers authentication, authorization, roles and the entire identity lifecycle.
- Many believe Keycloak is ready to run without maintenance after installation; in production, updates, high availability and secure configuration require ongoing attention.
- There is a misconception that building your own login solution is easier than using an established identity provider — yet standards like OpenID Connect and OAuth2 are security-critical and error-prone.
Frequently asked questions
What is the difference between authentication and authorization?
Authentication verifies who a user is, for example via password and second factor. Authorisation defines what that user is allowed to access. IAM solutions such as Keycloak manage both centrally.
Why a central IAM solution instead of login per application?
A central solution reduces security risks, enables single sign-on and considerably simplifies the management of users and rights. Changes only have to be maintained in one place.
What is the difference between Keycloak and a cloud service like Microsoft Entra ID?
Keycloak is a self-hostable open-source solution that offers full control over configuration and data storage. Cloud services such as Microsoft Entra ID run as a managed service and reduce operational effort. The choice depends on requirements around control, operations and integration.
What do OpenID Connect and OAuth 2.0 stand for?
OAuth 2.0 is a standard for authorization, that is the controlled granting of access without passing on passwords. OpenID Connect builds on it and adds authentication, that is establishing identity. Both are open standards that enable a central login across multiple applications.
Does single sign-on mean one password is enough for everything?
Single sign-on means users sign in centrally once and can then use multiple applications without logging in again. It does not replace the security of that single sign-in — on the contrary, this one login is usually additionally protected with multi-factor authentication.
Related terms
Sources & further reading
Want to put this topic to work in your company?
Updated · Back to the glossary