In this exclusive interview, Rahul speaks with Thomas Darimont, a digital identity consultant and Keycloak community expert, about the evolving security landscape in identity management and the promising Shared Signals Framework (SSF), which could revolutionize the way we handle security incidents in federated systems.
⏱ Reading time: 7 minutes
Pioneers in Digital Identity: Enhancing Security Through Shared Signals
Rahul: Thomas, thank you very much for taking the time to speak with us after your presentation at Keycloak Dev Day 2025. Could you give our readers—who may not be very familiar with this field yet—a brief overview of Keycloak and its importance in today’s digital landscape?
Thomas: You’re welcome, Rahul. Keycloak is an open-source solution for identity and access management that has become a critical infrastructure component for many companies. It handles authentication and authorization processes and essentially determines who can access what within digital environments. What makes it particularly powerful is that it is now under the umbrella of the Cloud Native Computing Foundation, although Red Hat remains heavily involved in its development. This foundation lends Keycloak a high degree of credibility in the enterprise sector while preserving the innovation advantages of open source.
Rahul: The Keycloak Dev Day 2025 in Darmstadt has just wrapped up. Can you share your impressions of the event with us and tell us what it says about the Keycloak ecosystem?
Thomas: I was completely blown away by the breadth and depth of Keycloak expertise presented at the event. It has become one of the most important conferences for learning and sharing Keycloak best practices. We had over 170 attendees, 18 talks, a keynote, and more than 25 speakers and maintainers. For a one-day, project-specific event, that’s a remarkable turnout.
What makes it special is that it’s truly a “community reunion” for Keycloak developers. The day before the conference, a hackathon was held where people of all skill levels could contribute—by fixing bugs, adding features, improving the documentation, or cleaning up the issue tracker. This hands-on approach embodies the open-source ethos: you don’t just use Keycloak, you also help build it and shape its direction.
Rahul: Your presentation focused on the Shared Signals Framework. Can you explain what SSF is and why it’s important for identity security?
Thomas: The Shared Signals Framework is a new standard that addresses a critical security vulnerability in federated identity systems. Think, for example, of how you can use your Google login for multiple services—that’s federated identity. SSF creates a standardized, secure way for all the different components in this ecosystem—identity providers and the services you log in to—to quickly exchange security information.
These may include critical warnings such as “This user’s session must be terminated” or “We believe these credentials may have been compromised.” The most significant new feature is standardization—reliable communication between different systems regarding security has been a challenge up to now, and SSF is designed to solve this problem.
Rahul: That sounds significant. Can you use a practical example to show us how SSF might work in a real-world scenario?
Thomas: Imagine the following scenario: You log in to your bank, your health portal, and your work applications, using a single identity provider (IDP) for each. If this IDP is compromised without SSF, your bank and other connected services may not be aware of the security breach. They would continue to accept logins, creating a significant vulnerability that attackers could potentially exploit to access all your connected services.
With SSF, the compromised IDP would immediately send a signal: “There is a problem with this user.” The connected services would receive this signal and could take immediate action—logging users out everywhere, temporarily locking accounts, forcing password resets, or requiring stricter authentication methods for subsequent login attempts. This would contain the security breach much faster than with traditional methods.
Rahul: So the idea is to shift from reactive to proactive security?
Thomas: Exactly. Instead of waiting for each service to detect suspicious activity independently, SSF enables real-time information sharing from the source that first identified the problem. This shift from reactive to proactive security measures can drastically reduce the impact of security incidents.
Rahul: How does Keycloak fit into the SSF ecosystem?
Thomas: I’ve demonstrated a proof of concept showing how Keycloak functions as an SSF recipient. This is promising because it shows that Keycloak could play a key role in this security ecosystem. However, the details of the implementation have not yet been finalized—the community is still debating whether the SSF functionality should be integrated directly into the core of Keycloak or developed as a separate add-on.
It is important that the Keycloak community seriously explore how SSF can be used to improve security. This aligns perfectly with the open-source approach, in which the community collaboratively determines the best implementation path.
Rahul: Speaking of the community: How do you see Keycloak’s overall development and future direction?
Thomas: The Keycloak community is remarkably active. It’s not just Red Hat driving the code forward; there are also significant contributions from people who use Keycloak in production environments every day. The community regularly produces new features, detailed blog posts explaining implementation approaches, and shared best practices.
This diversity of contributions is both a challenge and a strength. While it takes time to reach consensus in open source, the variety of perspectives leads to a more robust and flexible product. Keycloak’s adoption across various industries demonstrates this flexibility—it is not designed for a single niche but can handle many different identity scenarios. This adaptability is crucial, as identity management is inherently complex and convoluted. The fact that Keycloak works effectively in so many contexts suggests that its core design is fundamentally sound.
Rahul: You mentioned that you want to make Keycloak more accessible to newcomers. What initiatives are underway in this regard?
Thomas: This is something that’s particularly important to me. We’re working on improving the documentation, especially by adding more practical step-by-step guides for common scenarios, such as securing single-page applications or mobile apps.
Keycloak is powerful, but that power can be intimidating at first. Better examples and documentation help lower this barrier to entry. The question of how to reduce the underlying complexity without sacrificing performance is always a challenge, but targeted improvements to the documentation are a practical first step while longer-term discussions about the architecture continue.
Rahul: For someone interested in contributing to Keycloak, what would be some good ways to get started in the community?
Thomas: There are several ways to get involved. One of the easiest is to provide translations through the WebLate platform. You don’t need to know how to code, but you’re making Keycloak more accessible worldwide—that’s a significant impact.
Developers should start by reviewing the contributor guidelines in the code repository. These guidelines explain how to format code, run tests, and submit changes—in other words, the standard process. To contribute to the code, look for issues tagged “help wanted”—these are usually smaller tasks like bug fixes, typos, or UI optimizations that allow you to get to know the codebase without tackling something big right away.
Testing is crucial for security software. Every real code change requires thorough integration testing, and the community is working to make the testing framework more accessible. Easier testing leads to more testing, which in turn leads to more reliable software—a virtuous cycle.
Also, don’t underestimate the community as a resource. Join the Slack channels, take part in online meetups, and consider attending events like Dev Day or the upcoming KeyKloon in Amsterdam. Interacting with other users often provides the most practical knowledge and the best insights.
Rahul: Is there a risk in relying so heavily on community support? What happens if key contributors leave?
Thomas: This is always an issue with open source, but a healthy community doesn’t depend on just one or two people. Keycloak’s goal is to encourage new contributors and widely share knowledge. This helps spread expertise and ensures continuity, even though individual participation naturally changes over time.
Rahul: To wrap up: In your opinion, what are the most important developments on the horizon for identity management, and specifically for Keycloak?
Thomas: Standards like the Shared Signals Framework represent a major step forward in securing federated identity systems. As our digital lives become increasingly interconnected and services are often linked to central identity providers, the security of these connections is becoming increasingly important.
Keycloak’s focus on implementing open standards while maintaining its community-driven development approach positions it well for the future. Effective identity management is no longer optional—it is fundamental to digital security. The combination of Keycloak’s technical foundation and its dedicated community creates a powerful platform for addressing new security challenges.
Rahul: One last question—what key takeaways should companies take from this discussion about SSF and identity management?
Thomas: I would encourage everyone to think about just how interconnected digital services have become. Consider all the online services your company uses and how they’re linked together. Now imagine if they could exchange security alerts in real time through something like SSF—how would that change the security landscape? The potential implications are significant.
Whether you’re already using Keycloak or are just starting to explore identity management solutions, engaging with the community is invaluable. Check out the project, attend a meetup, and join the discussions. Especially when it comes to security, this shared learning and exchange of experiences leads to stronger protection for everyone.
Rahul: Thomas, thank you very much for these valuable insights into Keycloak and the Shared Signals Framework.
Thomas: It was my pleasure, Rahul. Thank you very much for helping to raise awareness of these important developments in the field of identity security.
This interview has been edited for clarity and brevity. Stay tuned for the next installment of our series “Pioneers of Digital Identity,” in which we’ll continue to explore the technologies and standards that are transforming identity management in the digital age.
