In today’s complex digital landscape, managing user identities securely across multiple applications remains one of the most challenging aspects of enterprise IT. At intension, we regularly explore solutions that help organizations navigate these challenges.
⏱ Reading time: 6 minutes
Balancing Security, Privacy, and Compliance
Recently, we had the opportunity to speak with Dr. Waldemar Koru, CTO of Anaro Software and a presenter at Keycloak Dev Day 2025, about how this open-source identity and access management solution addresses contemporary security needs. Our conversation revealed valuable insights into Keycloak‘s unique features, implementation strategies, and its position within the broader identity management ecosystem. This blog explores these topics and provides practical guidance for organizations considering Keycloak for their identity management needs.
Transient Users: A Privacy-First Approach to Authentication
Organizations operating under stringent privacy regulations like GDPR face a significant challenge: providing seamless access to services while minimizing data retention. Keycloak’s Transient Users feature offers an elegant solution to this dilemma.
“One of the game-changing capabilities, especially for organizations concerned with data privacy, is the Transient Users feature,” explains Dr. Koru. “It essentially allows you to grant users access to services without permanently storing their data in the Keycloak system.”
This feature creates temporary user sessions that exist only for the duration of active use. Once the session ends, the system purges all identifying data, leaving no persistent footprint. The temporary nature of these sessions helps organizations:
- Meet GDPR compliance requirements for data minimization and storage limitation
- Adhere to internal policies governing data exchange between departments or across national boundaries
- Reduce the risk surface associated with maintaining large databases of user credentials
- Support temporary access scenarios like B2B partnerships or contractor engagements
From a technical perspective, the implementation maintains security without compromising on functionality. Authentication proceeds normally, tokens are issued for authorized resources, but the underlying user profile information isn’t persisted in Keycloak’s database.
Implementation Challenges: Avoiding Common Pitfalls
Keycloak’s extensive feature set offers tremendous flexibility but can also create complexity for teams implementing it for the first time. Dr. Koru identifies several common mistakes organizations make when adopting Keycloak:
Understanding the Foundation: OpenID Connect
The most critical error is treating Keycloak as a “black box” solution without understanding the underlying protocols. “One of the biggest pitfalls I’ve observed is organizations diving headfirst into Keycloak without truly understanding the fundamental security principles it’s built upon, especially the concept of OpenID Connect,” notes Dr. Koru.
Unlike many software libraries where you can achieve results without understanding internal mechanisms, security systems demand a deeper knowledge. Organizations should ensure their teams understand:
- The basic flow of OpenID Connect authentication
- How tokens are validated and secured
- The purpose and appropriate use of different token types
- Proper configuration of security settings based on threat models
Feature Overload: Starting Small and Growing
Another common mistake is attempting to implement all of Keycloak’s features simultaneously. This approach often leads to configuration errors, security gaps, and overwhelmed implementation teams.
Instead, Dr. Koru recommends a phased approach:
- Phase 1: Core Authentication – Implement basic login functionality for a limited set of applications
- Phase 2: Enhanced Security – Add multi-factor authentication and refine access policies
- Phase 3: User Management – Implement self-service features and integrate with existing user directories
- Phase 4: Advanced Features – Add specialized capabilities like Transient Users or Organizations
This incremental method allows teams to gain expertise gradually, validate each component thoroughly, and prevent the confusion that comes from trying to master everything at once.
Keycloak’s Position in the Identity Management Spectrum
Understanding where Keycloak fits within the broader identity management landscape helps organizations make informed decisions about their authentication infrastructure.
The Identity Management Spectrum
Dr. Koru describes identity and access management solutions as existing on a spectrum:
- At one end are SaaS solutions (like Okta or Auth0) that offer convenience with limited customization
- At the other end are low-level protocol libraries that provide maximum control but require significant development effort
- Keycloak occupies the middle ground, offering a complete, ready-to-use identity server with extensive customization options
The Self-Hosting Advantage
One of Keycloak’s primary differentiators is its ability to be self-hosted. “A key differentiator for many organizations is Keycloak’s ability to be self-hosted, meaning you can run it on your own infrastructure,” explains Dr. Koru.
This capability provides:
- Complete control over data location – Critical for organizations with strict data sovereignty requirements
- Customization flexibility – The ability to adapt every aspect of the authentication experience
- Integration with internal systems – Direct connectivity to corporate directories without exposing them externally
- Cost predictability – No per-user pricing models that can escalate as your user base grows
For highly regulated industries such as healthcare, finance, and government, these advantages often outweigh the additional operational responsibility of maintaining the infrastructure.
The Organizations Feature: Multi-tenancy Made Simple
A significant recent addition to Keycloak is the Organizations feature, which addresses a common challenge for software providers serving multiple clients.
“Previously, if you had a SaaS application serving multiple customers, what we sometimes call tenants, managing their access separately within Keycloak could be a challenge,” Dr. Koru explains. “People often resorted to using numerous isolated areas called realms, which sometimes impacted performance, or they would use a single realm which made it difficult to keep each customer’s data truly separated.”
The Organizations feature creates a hierarchical structure within a single realm, allowing:
- Clear separation between customer data
- Delegated administration capabilities
- Isolated user management
- Simplified maintenance compared to multiple realms
- Improved performance and resource utilization
This capability is particularly valuable for software vendors who need to maintain strong boundaries between different customer environments while keeping maintenance overhead manageable.
Insights from Keycloak Dev Day 2025
The Keycloak DevDay event held in Darmstadt, Germany on March 6, 2025, provided a glimpse into the platform’s future direction and the priorities of its community.
Dr. Koru, who presented at the event, was impressed by “the level of expertise and the focus of the presentations.” The event brought together developers, maintainers, and operators working with Keycloak daily, covering topics including:
- New feature demonstrations and roadmap discussions
- Security best practices and hardening techniques
- Integration strategies for complex environments
- UI customization approaches
- Improved group management capabilities
The event also featured a pre-conference hackathon where attendees contributed directly to Keycloak’s development, reinforcing the community-driven nature of the project.
Getting Started with Keycloak: Resources for Learning
For organizations interested in exploring Keycloak further, several resources provide valuable starting points:
- Official documentation – Comprehensive but sometimes complex, the official Keycloak documentation covers every aspect of the platform
- Community forums – Active discussion boards where practitioners share experiences and solutions
- Training courses – Structured learning opportunities provided by companies like Anaro Software
- Mailing lists – Updates on new features and security advisories
A recommended approach is to combine theoretical learning with practical experimentation, starting with a small proof-of-concept before moving toward production implementation.
Conclusion: Finding the Right Balance
Keycloak’s position in the identity management landscape offers organizations a compelling middle ground between turnkey SaaS solutions and custom-built authentication systems. Its combination of ready-to-use functionality and extensive customization options makes it particularly well-suited to organizations with complex security requirements or strict compliance obligations.
The key to successful implementation lies in understanding the underlying security principles, adopting a phased approach to deployment, and leveraging the wealth of community knowledge available. By avoiding common pitfalls and focusing on core functionality before expanding to advanced features, organizations can build a robust identity foundation that balances security, usability, and compliance.
As you consider your organization’s identity management needs, the critical question becomes: what balance of control, customization, and operational simplicity best serves your security and compliance requirements? For many organizations, particularly those with stringent data governance policies or specialized authentication workflows, Keycloak provides an ideal solution.
At intension, we help organizations implement secure, compliant identity management solutions. Contact our team to discuss how Keycloak might fit within your security architecture.
