Why Hosting Keycloak Is Only Half the Battle – and Why Identity and Access Management (IAM) Requires More Than Just a Running Container.
Over the past years, Keycloak has become the de facto standard for open‑source Identity and Access Management (IAM). Its flexibility, extensive feature set—from single sign-on (SSO) and social login integrations to fine-grained authorization—and its active community make it the first choice for new digital products and modernization projects.
At the same time, real-world operations quickly reveal that Keycloak is a business‑critical component. As the central authentication authority, it represents a potential single point of failure and therefore requires high standards for operations, maintenance, and support.
For CTOs and lead architects, this raises an important question: “Make or Buy?” And if “Buy,” which managed service offers real value beyond simply running a container?
This article compares generic hosting approaches—often attractive due to very low monthly prices—with the specialized “Keycloak as a Service” offering from intension.
Challenges in Operating Keycloak
To begin, here are several requirements for running Keycloak that typically need to be handled by or together with the provider in production environments.
Scalability and Performance
As the number of users and connected clients grows, infrastructure, session handling, and database connectivity need to be carefully designed. Long-running sessions and high authentication rates can quickly lead to bottlenecks if the system is not optimized accordingly.
Maintenance, Updates, and Security
While Keycloak as an open-source project follows a defined release cycle, there is no traditional long-term support for specific versions. Zero‑downtime upgrades additionally require a cluster setup. Tested update strategies in staging environments and continuous security patching of underlying container images are essential.
Configuration and Customization
In production environments, Keycloak is rarely used “out of the box.” Custom themes, Service Provider Interfaces (SPIs), or tailored authentication flows are standard. These extensions must be versioned, tested, and integrated securely into the deployment process—especially in managed environments.
Compliance Requirements
Data protection obligations, auditability, and regulatory requirements (e.g., DORA, NIS2, CRA) demand documented operational processes, defined RPO/RTO targets, and transparent backup and recovery mechanisms.
Managed Keycloak Providers: Two Fundamental Approaches
The market for managed Keycloak can be divided into two categories: generic infrastructure providers and IAM/Keycloak specialists.
Generic Hosting and PaaS Providers
These providers primarily deliver Keycloak as a standardized workload. You select “Keycloak” from a catalog, and minutes later a container is running. Their focus is infrastructure availability, automated provisioning, and basic operational functions such as networking, certificate management, and volume backups.
Monitoring and support typically focus on infrastructure availability. Application-specific issues—such as broken authentication flows or incompatibilities in custom extensions—are often outside their support scope.
Specialized IAM and Keycloak Providers: The intension Approach
Specialized providers like intension treat Managed Keycloak as an application service. Beyond running infrastructure, they take responsibility for the functional behavior of the platform, including application‑level monitoring, update strategies, and integration support for customizations.
The focus here is not simply on providing compute resources but on ensuring the stable operation of Keycloak as a central IAM component.
When Things Go Wrong: Support Levels and Response Times
The most critical difference becomes apparent when problems occur. This is where the gap between generic hosting and specialized service becomes most visible.
The Monitoring Gap: Ping vs. What’s Really Happening?
A generic provider monitors infrastructure. Functional indicators of the hosted application are typically not monitored. A Keycloak server might be technically reachable while completely unusable for end users due to a broken authentication flow or issues in the connected user storage.
Intension goes a step further by monitoring not only infrastructure but also Keycloak’s functional health. Anomaly detection helps identify issues early—ideally before users contact support.
24/7 SLA and 30-Minute Response Time
When issues arise in business‑critical applications, every minute counts. This makes reliable and rapidly available support all the more important.
- Generic Support: Typically limited to business hours or offers 24/7 emergency service only for severe hardware failures. Often the customer must report outages first. Response times commonly range from 4 to 24 hours.
- intension Support: As a specialized provider, intension delivers Keycloak-tailored 24/7 service-level agreements. This includes qualified Keycloak experts based in Germany available outside regular working hours—day or night. For high-priority incidents (Priority 1), a response time of up to 30 minutes is guaranteed.
Reality Check: Updates
Beyond support, updates are another critical scenario in the lifecycle of an IAM system.
Update Challenges (“The Theme Is Broken”)
A common example: Keycloak is upgraded to a new major version (e.g., from v24 to v25).
- With a generic hosting provider: The system updates automatically via a new image. If custom themes break (e.g., login UI issues), this might only be noticed during the next login. And the provider is unlikely to assist with debugging.
- With the specialized provider intension: Updates are carefully planned—not rolled out automatically on release day. Customers are actively involved in the upgrade process, benefiting from insights gained across multiple projects. If desired, customers can also plan, test, and execute updates independently.
Comparison Table: Generic vs. Specialized
Feature / Criterion
| Generic PaaS & Hosting Providers |
intension (Keycloak Specialist) |
|
| Primary Focus | Infrastructure provisioning (IaaS/PaaS) | Identity & Access Management (SaaS/Managed) |
| Monitoring | Infrastructure (ping, CPU, RAM) | Application deep‑dive (logins, flows, DB pools) |
| Availability | Standard hours, 24/7 mainly for hardware | 24/7 Keycloak expert support |
| SLA / Response Time | Variable, often 4h+ | As fast as 30 minutes (critical incidents) |
| Update-Strategie | Automatisiert (Image-basiert), Risiko bei Customizings | Proaktiv, qualitätsgesichert, kompatibilitätsgeprüft |
| SPI / Theme Support | Self-service, no provider support | Native support, validation, integration help |
| Contact Person | 1st-level support / community | IAM architects and Keycloak experts |
Conclusion: Why Specialization Wins
The choice of provider depends on organizational maturity and available resources.
Organizations with an internal DevOps team that writes Keycloak code, builds Docker images effortlessly, and tunes the DB connection pool themselves can operate Managed Keycloak cost-effectively on generic hosting.
For companies that rely on Keycloak as a business‑critical component—but prefer not to burden their DevOps team with its operational complexity—intension is the logical choice. The value lies in combining infrastructure with operational excellence, backed by deep IAM and Keycloak expertise.
When login fails, the entire digital business stops. At that moment, the difference between a hoster that merely “provides a service” and a partner like intension that can truly help is priceless.
More information about our Keycloak as a Service offering is available here.
