Keycloak by VSHN

Keycloak, managed by VSHN and the Keycloak Competence Center Switzerland by Inventage, for you.

Open Source Identity and Access Management

Add authentication to applications and secure services with minimum effort. No need to deal with storing users or authenticating users.

Keycloak provides user federation, strong authentication, user management, fine-grained authorization, and more.

— Keycloak Website

Our service offers a compelling solution for businesses seeking secure and efficient identity and access management. Based in Switzerland, our service provides several key advantages:

Switzerland Based: Hosting your Keycloak service by a company based in Switzerland ensures data privacy, security, and compliance with strict Swiss regulations.
Unrestricted Access to Keycloak Features: With our service, you have access to the full range of Keycloak’s features, ensuring you can tailor your identity and access management to your specific needs.
Supported by Keycloak Professionals: Together with the Keycloak Competence Center Switzerland by Inventage, our team consists of experienced Keycloak professionals who can provide expert guidance and support, ensuring that you can make the most of your Keycloak implementation.
Simple Price Model: We offer a straightforward pricing model, making it easy for you to budget and plan for your identity and access management needs without hidden costs or surprises.
SLA Available: For added peace of mind, we offer Service Level Agreements (SLAs) that guarantee the reliability and availability of your Keycloak service.
Run by Experts Running Software: Our service is managed by a team of experts with a proven track record of running complex software systems, ensuring that your Keycloak service is in capable hands.

In summary, our service provides a secure, feature-rich, and hassle-free solution for identity and access management, all while benefiting from Switzerland’s robust data protection laws and the expertise of Keycloak professionals.

The user documentation is available under docs.appcat.ch.

Availability of the service

Features

Available sizing	1 or 2 instances ^[1]
No downtime during regular maintenance	^[2]
High availability	^[3]
Up to 100 Realms ^[4]
Infinite ^[5] Users
Admin user access (via admin web console)
Keycloak extensions
Configurable themes
Database: PostgreSQL by VSHN
TLS encrypted database connection
Custom subdomain
Built-in keycloak-config-cli
Guaranteed performance	^[6]
Keycloak specific metrics and dashboards
Support

Available sizing

1 or 2 instances ^[1]

No downtime during regular maintenance

^[2]

High availability

^[3]

Up to 100 Realms ^[4]

Infinite ^[5] Users

Admin user access (via admin web console)

Keycloak extensions

Configurable themes

Database: PostgreSQL by VSHN

TLS encrypted database connection

Custom subdomain

Built-in keycloak-config-cli

Guaranteed performance

^[6]

Keycloak specific metrics and dashboards

Support

The following common features are available as well:

Self-Service Instance Provisioning and Configuration	Service instances can be self-service ordered and are provisioned fully automated in the background. Access to self-service provisioning is provided via custom Kubernetes configuration objects in the Kubernetes cluster or via Open Service Broker API (on request).
Best-Practice Configuration Management	Services are configured with best practices and the configuration is updated continuously as we learn improvements during day-2 operations and from the community. Industry standards are used for security configuration and wherever possible TLS encrypted connections are offered by default.
Maintenance and Security Operations	Patch updates are applied as they get available. We monitor security information for services and apply zero-day patches or workaround configuration as they become available.
Data Protection and Recovery	All services offer a regular backup option. See the service descriptions for more details.
Service Metrics	Performance metrics are collected regularly and are available as graphs to the user. The metrics are automatically monitored and acted upon irregularities, see Monitoring and Alerting below.
Monitoring and Alerting	Service Level Indicators are monitored and alerted upon. Depending on the service level alerts are automatically handled by a VSHNeer.
Service Logging	All logs are collected and are available to debug service errors.
Support by VSHN or Vendor	Support for all services are available from VSHN support engineers. Depending on the service, additional support by the software vendor or a third-party might be available.

Self-Service Instance Provisioning and Configuration

Service instances can be self-service ordered and are provisioned fully automated in the background. Access to self-service provisioning is provided via custom Kubernetes configuration objects in the Kubernetes cluster or via Open Service Broker API (on request).

Best-Practice Configuration Management

Services are configured with best practices and the configuration is updated continuously as we learn improvements during day-2 operations and from the community. Industry standards are used for security configuration and wherever possible TLS encrypted connections are offered by default.

Maintenance and Security Operations

Patch updates are applied as they get available. We monitor security information for services and apply zero-day patches or workaround configuration as they become available.

Data Protection and Recovery

All services offer a regular backup option. See the service descriptions for more details.

Service Metrics

Performance metrics are collected regularly and are available as graphs to the user. The metrics are automatically monitored and acted upon irregularities, see Monitoring and Alerting below.

Monitoring and Alerting

Service Level Indicators are monitored and alerted upon. Depending on the service level alerts are automatically handled by a VSHNeer.

Service Logging

All logs are collected and are available to debug service errors.

Support by VSHN or Vendor

Support for all services are available from VSHN support engineers. Depending on the service, additional support by the software vendor or a third-party might be available.

Consulting / Onboarding Package

This product is fully supported by the Keycloak Competence Center Switzerland by Inventage.

To easily get started with Keycloak, a consulting package of 5 days can be ordered.

This consulting package can be used to clarify questions among the following topics:

Designing your security architecture
Designing your specific authentication flows (including 2FA, step-up, passkey etc.)
Integrating your Keycloak with your applications and your environment (WAF etc.)
Configuring your Keycloak
Designing multi-environment setups
Discuss your Keycloak extensions

Further customization of the Keycloak deployment is available either by VSHN or Inventage.

Keycloak Support

Support for Keycloak is organized in three levels:

Level 1: End-User Support: Helping users with the daily use of Keycloak is the customer’s concern. End-user support isn’t included in this service.
Level 2: Operations Support: VSHN provides support concerning the operations of Keycloak and the database. Our Support Plans describes in detail what VSHN offers in terms of support.
Level 3: Application Support: Inventage offers third-level support for Keycloak to VSHN, so that there are experts available to help with complex issues. Direct support from Inventage to the end-user is available with a separate support contract.

Supported versions

We only support the latest Keycloak version.

See Versioning Policy of the Keycloak project to read about more detailed versions support. Once a version isn’t supported anymore by the upstream project, we’ll stop supporting the version as well.

Upgrade Policy

The upgrade to a new major version needs to be performed within a 2-month grace period after the latest major.minor version.
Once the support for a service has ended, the service is considered "unmanaged" by VSHN. Meanwhile, the service still continues to run.

Service Level Indicator (SLI)

According to the service levels the SLI "Up" is defined as follows:

Keycloak responds to HTTP requests to the master realm authentication page. The service is considered up, if the request succeeds in under 5 seconds.

An unmanaged service is a service that is not monitored and SLA doesn’t apply anymore.

Data Protection

All persistent data of Keycloak is stored in a PostgreSQL database. See Data Protection in the PostgreSQL product description for more details.

Recurring Maintenance

We conduct recurring maintenance tasks on the service to keep it stable and up-to-date.

Planned Maintenance Activities

Updating of the base container image with the latest patched version, this causes a service restart.
If there’s a newer minor version available that does not contain breaking changes, then the service will automatically be updated to that minor version.
Major upgrades are not automatic.
Configuration improvements as we learn new best-practices or some configuration proved to be non-optimal.

Mandatory Maintenance Activities

Security issue (CVE) mitigation by updating to a patched version or configuration adjustments, usually causes service restart.
Regular maintenance on the underlying platform, usually causing up to 2 restarts per replica.

Maintenance Windows

This is an automated recurrence once a week. The day and time can be configured per service instance, whereas by default it is a random time in the night from Tuesday to Wednesday.

Users responsibilities

As a DevOps company, we believe in its collaborative approach. Flawless service is only possible through a sense of responsibility on both sides. Accordingly, we rely on the user to consider the following points:

Choose reasonably sized resources for the software consuming the service
Act early when an increase of service usage is foreseen (for example increase resources)
Rely on best-practices for using the service
Choose a matching service level for your use-case

Pricing

Service Level	per 30 days (720h)
Best Effort Keycloak and database instances: 1	CHF 360.00
Guaranteed Availability Keycloak and database instances: 2 Includes one additional development/test instance with Service Level "Best Effort"	CHF 1'500.00

Service Level

per 30 days (720h)

Best Effort

Keycloak and database instances: 1

CHF 360.00

Guaranteed Availability

Keycloak and database instances: 2
Includes one additional development/test instance with Service Level "Best Effort"

CHF 1'500.00

Excl. compute resources.
Incl. PostgreSQL by VSHN as database backend.
Consulting / Onboarding Package from Keycloak Competence Center Switzerland by Inventage (5 days / 40 hours): CHF 8'000.00
These prices are valid starting 2024-02-01 until further notice.

See Pricing for more details.

Available Keycloak extensions

The following extensions are available by default:

Custom extensions can be installed by providing them in a custom container image, containing the additional extensions. This image is then used as an init container to copy the extension directory into the Keycloak image.

When providing custom extensions, we cannot guarantee compatibility with the Keycloak version and can also not guarantee that nothing breaks on Keycloak upgrade.

Configurable theme

Custom styled themes are fully supported with our configurable theme extension. This includes logos, colors, fonts and custom style sheets.

Keycloak Configuration Management

Using Keycloak Config CLI, you can configure your Keycloak instance using a config file instead of using the admin UI. You may use this tool to easily configure multiple environments (DEV, TEST, PROD) with the same setup.