In this exclusive interview, Rahul speaks with Thomas Darimont, digital identity consultant and Keycloak community expert, about the evolving security landscape for identity management and the promising Shared Signals Framework (SSF) that could revolutionize how we handle security incidents across federated systems.
⏱ Reading time: 6 minutes
Digital Identity Pioneers: Enhancing Security through Shared Signals
Rahul: Thomas, thank you for speaking with us after your presentation at Keycloak Dev Day 2025. For our readers who might be new to the space, could you give us a brief overview of what Keycloak is and its significance in today’s digital landscape?
Thomas: My pleasure, Rahul. Keycloak is an open-source identity and access management solution that’s become critical infrastructure for many organizations. It handles authentication and authorization processes, essentially determining who can access what within digital environments. What makes it particularly powerful is that it’s now under the Cloud Native Computing Foundation umbrella, though Red Hat remains heavily involved in its development. This foundation gives it strong credibility in the enterprise space while maintaining the innovation advantages of open source.
Rahul: Keycloak Dev Day 2025 just wrapped up in Darmstadt. Could you share your impressions of the event and what it tells us about the Keycloak ecosystem?
Thomas: I was completely overwhelmed by the breadth and richness of Keycloak knowledge at the event. It’s become a top conference for learning and sharing Keycloak best practices. We had over 170 attendees, 18 talks, a keynote, and more than 25 speakers and maintainers. For a one-day, project-specific event, that’s remarkable attendance.
What makes it special is that it’s truly a “community class reunion” for Keycloak developers. The day before featured a pre-conference hackathon where people of all skill levels could contribute – fixing bugs, adding features, improving documentation, or cleaning up the issue list. This hands-on approach epitomizes the open-source ethos: you’re not just using Keycloak, you’re helping build it and influence its direction.
Rahul: Your talk focused on the Shared Signals Framework. Can you explain what SSF is and why it matters for identity security?
Thomas: The Shared Signals Framework is an emerging standard that addresses a critical security gap in federated identity systems. Think about how you might use your Google login across multiple services – that’s federated identity. SSF creates a standardized, secure way for all the different components in this ecosystem – identity providers and the services you log into – to share security information rapidly.
This could be critical alerts like “this user’s session needs to be terminated” or “we believe these login credentials might be compromised.” The key innovation is standardization – getting different systems to communicate reliably about security has historically been challenging, and SSF aims to solve that.
Rahul: That sounds significant. Could you walk us through a practical example of how SSF might work in a real-world scenario?
Thomas: Consider this scenario: You log into your bank, health portal, and work applications all using one identity provider (IDP). If that IDP gets compromised without SSF, your bank and other connected services might not know about the breach. They’d continue accepting logins, creating a significant vulnerability where attackers could potentially access all your connected services.
With SSF implemented, the compromised IDP would immediately broadcast a signal: “There’s a problem with this user.” Connected services would receive this signal and could take immediate action – logging users out everywhere, temporarily locking accounts, forcing password resets, or requiring stronger authentication methods for subsequent login attempts. It effectively contains the breach much faster than traditional methods.
Rahul: So it’s about moving from reactive to proactive security?
Thomas: Exactly. Rather than waiting for each service to independently detect suspicious activity, SSF enables real-time intelligence sharing from the source that first identifies the problem. This shift from reactive to proactive security response can dramatically reduce the impact window of security incidents.
Rahul: How does Keycloak fit into the SSF ecosystem?
Thomas: I demonstrated a proof of concept showing Keycloak functioning as an SSF receiver. This is promising as it shows Keycloak could play a significant role in this security ecosystem. However, the implementation details aren’t finalized yet – the community is still discussing whether SSF functionality should be built directly into Keycloak’s core or developed as a separate add-on.
What’s important is that the Keycloak community is seriously exploring how to leverage SSF to enhance security. This aligns perfectly with the open-source approach – letting the community collaboratively determine the best implementation path.
Rahul: Speaking of the community, what’s your perspective on Keycloak’s overall evolution and future direction?
Thomas: The Keycloak community is remarkably vibrant. It’s not just Red Hat pushing code; there are substantial contributions from people using Keycloak in production environments daily. You see new features, detailed blog posts explaining implementation approaches, and shared best practices regularly emerging from the community.
This diversity of input is both a challenge and a strength. While building consensus in open source takes time, the varied perspectives lead to a more robust, flexible product. Keycloak’s adoption across diverse industries demonstrates this flexibility – it’s not designed for just one niche but can handle many different identity scenarios. This adaptability is crucial because identity management is inherently complex and messy. The fact that Keycloak works effectively in so many contexts suggests its core design is fundamentally sound.
Rahul: You mentioned making Keycloak more accessible to newcomers. What initiatives are happening in that direction?
Thomas: This is something I’m particularly passionate about. We’re working on improving documentation, especially adding more practical, step-by-step guides for common scenarios like securing single-page applications or mobile apps.
While Keycloak is powerful, that power can be intimidating when you first encounter it. Better examples and documentation help lower that barrier to entry. The question of reducing underlying complexity without sacrificing capability is always challenging, but targeted documentation improvement represents a practical immediate step while longer-term architectural discussions continue.
Rahul: For someone interested in contributing to Keycloak, what would be good entry points into the community?
Thomas: There are several approachable paths. One of the easiest is contributing translations through the WebLate platform. You don’t need to code, but you’ll make Keycloak more accessible globally – that’s a significant impact.
For developers, start with the contributor guidelines in the code repository. These explain how to format code, run tests, and submit changes – the standard process. For coding contributions, look for issues labeled as “help wanted” – these are typically smaller tasks like bug fixes, typos, or UI tweaks that help you learn the codebase without taking on something massive as your first contribution.
Testing is crucial for security software. Any real code change needs good integration tests, and the community is working to make the testing framework itself more accessible. Making testing easier generates more tests, which produces more reliable software – a virtuous cycle.
Finally, don’t underestimate the community as a resource. Join the Slack channels, participate in online meetups, and consider attending events like Dev Day or the upcoming KeyKloon in Amsterdam. Connecting with other users often provides the most practical knowledge and insights.
Rahul: Is there a risk in relying so heavily on community support? What happens if key contributors leave?
Thomas: That’s always a concern in open source, but a healthy community isn’t dependent on just one or two individuals. The ideal – which Keycloak strives for – is to nurture new contributors and spread knowledge broadly. This distributes expertise and ensures continuity even as individual participation naturally changes over time.
Rahul: As we wrap up, what do you see as the most significant developments on the horizon for identity management and Keycloak specifically?
Thomas: Standards like the Shared Signals Framework represent a major step forward in securing federated identity systems. As our digital lives become increasingly interconnected, with services frequently linked to central identity providers, the security of these connections becomes ever more critical.
Keycloak’s focus on implementing open standards while maintaining its community-driven development approach positions it well for the future. Good identity management isn’t optional anymore – it’s fundamental to digital security. The combination of Keycloak’s technical foundation and its engaged community creates a powerful platform for addressing emerging security challenges.
Rahul: One final question – what should organizations take away from this conversation about SSF and identity management?
Thomas: I’d encourage everyone to think about how interconnected their digital services have become. Consider all the online services your organization uses and how they’re linked. Now imagine if they could share security warnings in real-time using something like SSF – how would that change your security posture? The potential impact is substantial.
Whether you’re already using Keycloak or just exploring identity management solutions, engaging with the community is invaluable. Check out the project, attend a meetup, participate in discussions. In the security space particularly, that collaborative learning and sharing of experiences leads to stronger protection for everyone.
Rahul: Thomas, thank you for these valuable insights into Keycloak and the Shared Signals Framework.
Thomas: It’s been my pleasure, Rahul. Thank you for helping spread awareness about these important developments in identity security.
This interview has been edited for clarity and length. Stay tuned for the next episode in our “Digital Identity Pioneers” series, where we’ll continue exploring the technologies and standards that are transforming how we manage identity in the digital age.
