Get the theme: Shadcn Keycloak Theme Starter
A shadcn theme starter for Keycloak using Tailwind CSS and Radix UI components. This starter provides a foundation for building a custom, component-based Keycloak theme.
+
Phase Two is thrilled to announce that we have been recognized as an official partner of CockroachDB. This partnership marks a significant milestone in our commitment to providing robust, scalable, and high-performance database solutions for our the Keycloak community and our customers.
Phase Two originally built our CockroachDB integration for Keycloak over two years ago, and since then we have been working closely with the CockroachDB team to ensure that our integration is optimized for performance and reliability. Our customers have seen significant improvements in database performance, scalability, and a overall cost savings by using CockroachDB with Keycloak.
Our commitment to CockroachDB is built on years of using the Cockroach Cloud to power all of our dedicated hosting.
Keycloak tracks various "user events" to provide auditing and monitoring capabilities related to user activities within a realm. These events capture actions performed by users, such as authentication attempts, account management operations, and more.
When these events have been tracked and not purged for a long period, for high traffic installations, trying to change the retention period can lead to a massive performance problem with your installation. We will walk you through what to consider and how to safely purge these events.
As of today, we’re thrilled to announce the launch of the new Phase Two Dashboard — a fully redesigned application for managing your Keycloak resources. This update goes far beyond a fresh coat of paint. We've rebuilt the experience from the ground up, introducing new capabilities, streamlined workflows, and deep infrastructure enhancements based directly on customer feedback. We've learned that the version of Keycloak we provide, enhanced by the Phase Two library of extensions, solves for the 95% Saas use-case and this release will allow our users to better take advantage of those features. Some features are available today and others will be made available in the next few weeks.
We are excited to announce that Phase Two has achieved SOC 2 Type 1 compliance! This milestone demonstrates our ongoing commitment to security, availability, and the protection of our customers’ data.
Learn more at trust.phasetwo.io.
As more companies build SaaS platforms, the need to serve multiple customer groups—or tenants—from a single system becomes critical. In the identity world, this means implementing multi-tenancy within your identity provider.
In this post, we’ll walk through:
We've written extensively about how to model multi-tenancy with organizations and how Phase Two's Organizations extension differs from the native implementation being undertaken by the Keycloak team.
All of Phase Two's hosted environments come standard with all of our popular extensions to make it easy to hit the ground running and cover 95% of all IAM use-cases.
As more companies adopt Keycloak for enterprise identity and access management, security is no longer just a back-end concern. One of the most frequent questions we hear at Phase Two is:
"Should I put a Web Application Firewall (WAF) in front of Keycloak?"
The short answer? It depends—but it's a smart question to ask.
In this post, we'll break down what Keycloak provides out of the box, explore common attack vectors (especially around authentication endpoints), and help you evaluate whether you need to add an external firewall or WAF to your deployment.
Passwords are on their way out. From phishing to password reuse, they've become one of the weakest links in modern authentication. The solution? Passkeys—a phishing-resistant, user-friendly, and increasingly supported replacement for traditional passwords.
In this post, we’ll break down what passkeys are, how they work, which platforms support them, how they relate to WebAuthn, and how you can integrate them into your Keycloak authentication flows. Finally, we’ll explore some of the real-world considerations and challenges.
SAML has a bit of a reputation. For many developers, it lives in that shadowy corner of the B2B internet where XML still rules and stack traces seem to go on forever. If you've ever had the misfortune of debugging a malformed <Assertion>, you know the pain. But here's the thing: it doesn't have to be a nightmare.
At Phase Two, we provide managed hosting and enterprise support for Keycloak, a leading open-source Identity and Access Management platform. And while OIDC has become the default for most modern applications, SAML is still alive and well—especially in enterprise environments.
This post is a gentle (and opinionated) introduction to what SAML is, how it works, and why it still matters particularly if you're implementing SAML SSO in Keycloak.
When implementing SAML for the establishment of an Identity Provider, two primary options are available:
The SP initiated flow is widely recognized by users due to its straightforward configuration, which is merely the exchange of some metadata. In contrast, the IdP-initiated flow is less intuitive and involves an additional step that may not be readily apparent to many users. The purpose of this blog is to elucidate the steps necessary to successfully execute the IdP-initiated flow. We will setup a full example
A fundamental understanding of SAML 2.0 and Keycloak is required to effectively follow the provided instructions.