[{"data":1,"prerenderedAt":399},["ShallowReactive",2],{"navigation-docs_en":3,"/en/docs/technologies/keycloak-docs_en":51,"/en/docs/technologies/keycloak-surround-docs_en":395},[4],{"title":5,"path":6,"stem":7,"children":8,"page":25},"En","/en","en",[9],{"title":10,"path":11,"stem":12,"children":13,"page":25},"Docs","/en/docs","en/1.docs",[14,26],{"title":15,"path":16,"stem":17,"children":18,"icon":25},"Getting Started","/en/docs/getting-started","en/1.docs/1.getting-started/1.index",[19,21],{"title":20,"path":16,"stem":17,"children":-1},"Introduction",{"title":22,"path":23,"stem":24,"children":-1},"Migration Roadmap","/en/docs/getting-started/migration-fahrplan","en/1.docs/1.getting-started/2.migration-fahrplan",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Technologies","/en/docs/technologies","en/1.docs/2.technologies",[31,35,39,43,47],{"title":32,"path":33,"stem":34,"children":-1},"Nextcloud","/en/docs/technologies/nextcloud","en/1.docs/2.technologies/1.nextcloud",{"title":36,"path":37,"stem":38,"children":-1},"Matrix / Element","/en/docs/technologies/matrix","en/1.docs/2.technologies/2.matrix",{"title":40,"path":41,"stem":42,"children":-1},"ONLYOFFICE","/en/docs/technologies/onlyoffice","en/1.docs/2.technologies/3.onlyoffice",{"title":44,"path":45,"stem":46,"children":-1},"Ubuntu Linux","/en/docs/technologies/ubuntu","en/1.docs/2.technologies/4.ubuntu",{"title":48,"path":49,"stem":50,"children":-1},"Keycloak","/en/docs/technologies/keycloak","en/1.docs/2.technologies/5.keycloak",{"id":52,"title":48,"body":53,"description":389,"extension":390,"meta":391,"navigation":392,"path":49,"seo":393,"stem":50,"__hash__":394},"docs_en/en/1.docs/2.technologies/5.keycloak.md",{"type":54,"value":55,"toc":375},"minimark",[56,60,64,69,121,125,130,133,137,140,144,147,151,154,158,161,199,203,206,276,280,330,333,337,355,364,371],[57,58,48],"h1",{"id":59},"keycloak",[61,62,63],"p",{},"Keycloak is an open-source Identity & Access Management (IAM) platform. It replaces Azure Active Directory / Microsoft Entra ID and provides Single Sign-On (SSO) for all business applications — hosted on your own servers, with no dependency on Microsoft.",[65,66,68],"h2",{"id":67},"what-does-keycloak-replace","What does Keycloak replace?",[70,71,72,85],"table",{},[73,74,75],"thead",{},[76,77,78,82],"tr",{},[79,80,81],"th",{},"Microsoft Product",[79,83,84],{},"Keycloak Equivalent",[86,87,88,97,105,113],"tbody",{},[76,89,90,94],{},[91,92,93],"td",{},"Azure Active Directory (Entra ID)",[91,95,96],{},"Keycloak Realm",[76,98,99,102],{},[91,100,101],{},"Azure SSO",[91,103,104],{},"Keycloak SSO (OIDC / SAML)",[76,106,107,110],{},[91,108,109],{},"Azure MFA",[91,111,112],{},"Keycloak OTP / WebAuthn",[76,114,115,118],{},[91,116,117],{},"Azure AD Groups",[91,119,120],{},"Keycloak Groups & Roles",[65,122,124],{"id":123},"core-features","Core features",[126,127,129],"h3",{"id":128},"single-sign-on-sso","Single Sign-On (SSO)",[61,131,132],{},"One central login for all applications: Nextcloud, ONLYOFFICE, Element, Gitea, Odoo, Rocket.Chat and any other OIDC- or SAML-compatible application. Employees log in once — all services are then accessible without re-entering passwords.",[126,134,136],{"id":135},"multi-factor-authentication","Multi-factor authentication",[61,138,139],{},"Keycloak supports TOTP (Google Authenticator, Aegis), WebAuthn (YubiKey, FIDO2 hardware keys) and SMS OTP. MFA can be enforced for individual applications, user groups or all users.",[126,141,143],{"id":142},"user-management","User management",[61,145,146],{},"Centralised management of all users, groups and permissions in one interface. New employees are created once and immediately have access to all applications. When they leave, a single deactivation blocks all access simultaneously.",[126,148,150],{"id":149},"ldap-active-directory-integration","LDAP / Active Directory integration",[61,152,153],{},"Existing Active Directory directories can be synchronised into Keycloak — a seamless migration path with no data loss.",[65,155,157],{"id":156},"integration","Integration",[61,159,160],{},"Keycloak connects with virtually any modern application:",[162,163,164,171,177,182,188,193],"ul",{},[165,166,167,170],"li",{},[168,169,32],"strong",{}," — Keycloak as OIDC provider",[165,172,173,176],{},[168,174,175],{},"Matrix/Element"," — SSO via OIDC",[165,178,179,181],{},[168,180,40],{}," — SSO via SAML 2.0",[165,183,184,187],{},[168,185,186],{},"Gitea, Forgejo"," — OIDC login",[165,189,190,187],{},[168,191,192],{},"Grafana, Portainer",[165,194,195,198],{},[168,196,197],{},"Proxmox"," — LDAP / OIDC",[65,200,202],{"id":201},"operation-and-hosting","Operation and hosting",[61,204,205],{},"Keycloak runs as a Docker container on a small Hetzner server:",[207,208,213],"pre",{"className":209,"code":210,"language":211,"meta":212,"style":212},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Keycloak with Docker Compose\nservices:\n  keycloak:\n    image: quay.io/keycloak/keycloak:latest\n    environment:\n      KC_DB: postgres\n    command: start\n","bash","",[214,215,216,225,232,238,248,254,263],"code",{"__ignoreMap":212},[217,218,221],"span",{"class":219,"line":220},"line",1,[217,222,224],{"class":223},"sHwdD","# Keycloak with Docker Compose\n",[217,226,228],{"class":219,"line":227},2,[217,229,231],{"class":230},"sBMFI","services:\n",[217,233,235],{"class":219,"line":234},3,[217,236,237],{"class":230},"  keycloak:\n",[217,239,241,244],{"class":219,"line":240},4,[217,242,243],{"class":230},"    image:",[217,245,247],{"class":246},"sfazB"," quay.io/keycloak/keycloak:latest\n",[217,249,251],{"class":219,"line":250},5,[217,252,253],{"class":230},"    environment:\n",[217,255,257,260],{"class":219,"line":256},6,[217,258,259],{"class":230},"      KC_DB:",[217,261,262],{"class":246}," postgres\n",[217,264,266,270,273],{"class":219,"line":265},7,[217,267,269],{"class":268},"s2Zo4","    command",[217,271,272],{"class":246},":",[217,274,275],{"class":246}," start\n",[126,277,279],{"id":278},"system-requirements","System requirements",[70,281,282,295],{},[73,283,284],{},[76,285,286,289,292],{},[79,287,288],{},"Users",[79,290,291],{},"RAM",[79,293,294],{},"CPU",[86,296,297,308,319],{},[76,298,299,302,305],{},[91,300,301],{},"≤100",[91,303,304],{},"2 GB",[91,306,307],{},"1 vCPU",[76,309,310,313,316],{},[91,311,312],{},"≤500",[91,314,315],{},"4 GB",[91,317,318],{},"2 vCPU",[76,320,321,324,327],{},[91,322,323],{},">500",[91,325,326],{},"8 GB",[91,328,329],{},"4 vCPU",[61,331,332],{},"Keycloak can run on the same server as Nextcloud — for small teams (≤25 users) a CX21 at Hetzner (€5.83/month) is sufficient.",[65,334,336],{"id":335},"migration-from-azure-ad","Migration from Azure AD",[338,339,340,343,346,349,352],"ol",{},[165,341,342],{},"Set up a Keycloak instance and configure the Realm",[165,344,345],{},"Export users from Active Directory / Azure AD and import them",[165,347,348],{},"Migrate applications to Keycloak SSO one by one (Nextcloud → Element → others)",[165,350,351],{},"Enable MFA enforcement",[165,353,354],{},"Cancel Azure AD licences",[356,357,358],"blockquote",{},[61,359,360,363],{},[168,361,362],{},"Tip:"," When migrating from Azure AD, we recommend running Keycloak in parallel with Azure AD initially. Applications are migrated step by step — so an issue with one app has no impact on other services.",[61,365,366,367],{},"Next: ",[368,369,370],"a",{"href":37},"Matrix/Element →",[372,373,374],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":212,"searchDepth":227,"depth":227,"links":376},[377,378,384,385,388],{"id":67,"depth":227,"text":68},{"id":123,"depth":227,"text":124,"children":379},[380,381,382,383],{"id":128,"depth":234,"text":129},{"id":135,"depth":234,"text":136},{"id":142,"depth":234,"text":143},{"id":149,"depth":234,"text":150},{"id":156,"depth":227,"text":157},{"id":201,"depth":227,"text":202,"children":386},[387],{"id":278,"depth":234,"text":279},{"id":335,"depth":227,"text":336},"Single Sign-On and Identity Management as an Azure AD replacement — one central login for all business applications, GDPR-compliant and self-hosted.","md",{},true,{"title":48,"description":389},"omOpPbpDeqiMJPozq11bVqfEn9nu4dqWopoJhnL554Q",[396,398],{"title":44,"path":45,"stem":46,"description":397,"children":-1},"The most widely used enterprise Linux OS — stable, secure, with 5 years of LTS support and a familiar interface for Windows switchers.",null,1778110625079]