Keycloak by VSHN

Keycloak, managed by VSHN and the Keycloak Competence Center Switzerland by Inventage, for you.

Open Source Identity and Access Management

Add authentication to applications and secure services with minimum effort. No need to deal with storing users or authenticating users.

Keycloak provides user federation, strong authentication, user management, fine-grained authorization, and more.

— Keycloak Website

Our service offers a compelling solution for businesses seeking secure and efficient identity and access management. Based in Switzerland, our service provides several key advantages:

Switzerland Based

Hosting your Keycloak service by a company based in Switzerland ensures data privacy, security, and compliance with strict Swiss regulations.

Unrestricted Access to Keycloak Features

With our service, you have access to the full range of Keycloak’s features, ensuring you can tailor your identity and access management to your specific needs.

Supported by Keycloak Professionals

Together with the Keycloak Competence Center Switzerland by Inventage, our team consists of experienced Keycloak professionals who can provide expert guidance and support, ensuring that you can make the most of your Keycloak implementation.

Simple Price Model

We offer a straightforward pricing model, making it easy for you to budget and plan for your identity and access management needs without hidden costs or surprises.

SLA Available

For added peace of mind, we offer Service Level Agreements (SLAs) that guarantee the reliability and availability of your Keycloak service.

Run by Experts Running Software

Our service is managed by a team of experts with a proven track record of running complex software systems, ensuring that your Keycloak service is in capable hands.

In summary, our service provides a secure, feature-rich, and hassle-free solution for identity and access management, all while benefiting from Switzerland’s robust data protection laws and the expertise of Keycloak professionals.

The user documentation is available under docs.appcat.ch.
Availability of the service

Features

Available sizing

1,2 or 3 instances [1]

No downtime during regular maintenance

[2]

High availability

[3]

Up to 100 Realms [4]

Infinite [5] Users

Admin user access (via admin web console)

Keycloak extensions

Configurable themes

Database: PostgreSQL by VSHN

TLS encrypted database connection

Custom subdomain

Built-in keycloak-config-cli

Guaranteed performance

[6]

Keycloak specific metrics and dashboards

Support

The following common features are available as well:

Self-Service Instance Provisioning and Configuration

Service instances can be self-service ordered and are provisioned fully automated in the background. Access to self-service provisioning is provided via custom Kubernetes configuration objects in the Kubernetes cluster or via Open Service Broker API (on request).

Best-Practice Configuration Management

Services are configured with best practices and the configuration is updated continuously as we learn improvements during day-2 operations and from the community. Industry standards are used for security configuration and wherever possible TLS encrypted connections are offered by default.

Maintenance and Security Operations

Patch updates are applied as they get available. We monitor security information for services and apply zero-day patches or workaround configuration as they become available.

Data Protection and Recovery

All services offer a regular backup option. See the service descriptions for more details.

Service Metrics

Performance metrics are collected regularly and are available as graphs to the user. The metrics are automatically monitored and acted upon irregularities, see Monitoring and Alerting below.

Monitoring and Alerting

Service Level Indicators are monitored and alerted upon. Depending on the service level alerts are automatically handled by a VSHNeer.

Service Logging

All logs are collected and are available to debug service errors.

Support by VSHN or Vendor

Support for all services are available from VSHN support engineers. Depending on the service, additional support by the software vendor or a third-party might be available.

Consulting / Onboarding Package

This product is fully supported by the Keycloak Competence Center Switzerland by Inventage.

To easily get started with Keycloak, a consulting package of 5 days can be ordered.

This consulting package can be used to clarify questions among the following topics:

  • Designing your security architecture

  • Designing your specific authentication flows (including 2FA, step-up, passkey etc.)

  • Integrating your Keycloak with your applications and your environment (WAF etc.)

  • Configuring your Keycloak

  • Designing multi-environment setups

  • Discuss your Keycloak extensions

Further customization of the Keycloak deployment is available either by VSHN or Inventage.

Keycloak Support

Support for Keycloak is organized in three levels:

Level 1: End-User Support

Helping users with the daily use of Keycloak is the customer’s concern. End-user support isn’t included in this service.

Level 2: Operations Support

VSHN provides support concerning the operations of Keycloak and the database. Our Support Plans describes in detail what VSHN offers in terms of support.

Level 3: Application Support

Inventage offers third-level support for Keycloak to VSHN, so that there are experts available to help with complex issues. Direct support from Inventage to the end-user is available with a separate support contract.

Supported versions

We only support the latest Keycloak version.

See Versioning Policy of the Keycloak project to read about more detailed versions support. Once a version isn’t supported anymore by the upstream project, we’ll stop supporting the version as well.

Upgrade Policy

  • The upgrade to a new major version needs to be performed within a 2-month grace period after the latest major.minor version.

  • Once the support for a service has ended, the service is considered "unmanaged" by VSHN. Meanwhile, the service still continues to run.

Service Level Indicator (SLI)

According to the service levels the SLI "Up" is defined as follows:

Keycloak responds to HTTP requests to the master realm authentication page. The service is considered up, if the request succeeds in under 5 seconds.

An unmanaged service is a service that is not monitored and SLA doesn’t apply anymore.

Data Protection

All persistent data of Keycloak is stored in a PostgreSQL database. See Data Protection in the PostgreSQL product description for more details.

Recurring Maintenance

We conduct recurring maintenance tasks on the service to keep it stable and up-to-date.

Planned Maintenance Activities
  • Updating of the base container image with the latest patched version, this causes a service restart.

  • If there’s a newer minor version available that does not contain breaking changes, then the service will automatically be updated to that minor version.

  • Major upgrades are not automatic.

  • Configuration improvements as we learn new best-practices or some configuration proved to be non-optimal.

Mandatory Maintenance Activities
  • Security issue (CVE) mitigation by updating to a patched version or configuration adjustments, usually causes service restart.

  • Regular maintenance on the underlying platform, usually causing up to 2 restarts per replica.

Maintenance Windows

This is an automated recurrence once a week. The day and time can be configured per service instance, whereas by default it is a random time in the night from Tuesday to Wednesday.

Users responsibilities

As a DevOps company, we believe in its collaborative approach. Flawless service is only possible through a sense of responsibility on both sides. Accordingly, we rely on the user to consider the following points:

  • Choose reasonably sized resources for the software consuming the service

  • Act early when an increase in service usage is foreseen (for example increase resources)

  • Rely on best-practices for using the service

  • Choose a matching service level for your use-case

Pricing

Service Level per 30 days (720h)
  • Keycloak and database instances: 1

CHF 360.00

  • Keycloak and database instances: 2

  • Includes one additional development/test instance with Service Level "Best Effort"

CHF 1'500.00

  • The computing resources required for the service are not included in the price and charged additionally.

  • Inclusive PostgreSQL by VSHN as database backend.

  • Consulting / Onboarding Package from Keycloak Competence Center Switzerland by Inventage (5 days / 40 hours): CHF 8'000.00

  • Support is available at additional cost via Support Plans.

  • These prices are valid starting 2024-02-01 until further notice.

See Pricing for more details.

Available Keycloak extensions

The following extensions are available by default:

Custom extensions can be installed by providing them in a custom container image, containing the additional extensions. This image is then used as an init container to copy the extension directory into the Keycloak image.

When providing custom extensions, we cannot guarantee compatibility with the Keycloak version and can also not guarantee that nothing breaks on Keycloak upgrade.

Configurable theme

Custom styled themes are fully supported with our configurable theme extension. This includes logos, colors, fonts and custom style sheets.

Keycloak Configuration Management

Using Keycloak Config CLI, you can configure your Keycloak instance using a config file instead of using the admin UI. You may use this tool to easily configure multiple environments (DEV, TEST, PROD) with the same setup.

Service Maturity

This section describes the maturity of this service. We are constantly improving it and adding more features to the service.

Provisioning

Backup

Restore

Logs

Metrics

Alerting

Automated Maintenance

Version Upgrades

Scaling

User Management

FAQ

What do I need to get the service?

Currently the service is available on APPUiO and Managed OpenShift. Once you have access to such a cluster, it’s a matter of creating a Kubernetes object to order a service instance. In the getting started guide you’ll find all the information you need to get started.

Where do I get it?

As mentioned in the previous answer, the service is available on APPUiO and Managed OpenShift.

Are there any extra costs?

Yes, there are usage costs associated with the service. Please refer to VSHN AppCat Services Pricing for further information.

Who will set it up?

All services are available in full self-service. There is no need to open a ticket and wait until the service is provisioned, it’s available immediately.

What do I need to do?

The user documentation explains everything you need to know.

Can I get it myself or do I need to contact anyone?

There is no need to contact anyone, just follow the instructions on docs.appcat.ch and you’ll be up and running in no time.

How can it be integrated in my environment?

Services are available right now on APPUiO and Managed OpenShift. If you want these services on your environment, please contact us and we’ll help you get started.

How can I get support?

You can either open a ticket on our customer portal or send an email to support@vshn.ch. Please note that support is only available with our support plans.


1. Clustering with Infinispan when 2 or 3 instances are used, inclusive load balancing
2. With more than 1 replica, excluding version upgrade
3. With Service Level "Guaranteed Availability", includes 2 instances of Keycloak and Infinispan clustering
4. Talk to us if you need more
5. As many as Keycloak supports
6. Depends on the underlying platform