Keycloak and RHBK
Keycloak.
Enterprise-ready with Midships.
Keycloak's appeal is real — no per-seat licensing, no vendor lock-in, full source code. The challenge is making it production-grade for regulated environments. Midships closes every gap: zero downtime upgrades, enterprise HA, API-first journeys, and Guardian 24x7 operations. Significantly lower TCO than traditional IAM providers.
0
Production outages on Keycloak go-lives or upgrades — ever
99.999%
Availability target under Guardian managed operations
2 sprints
To a vanilla production-ready environment with the Midships Accelerator
API-first
Extended Authentication Flow API — invoke any Keycloak flow via API, not just web UI
Why enterprises choose Keycloak
The open-source IAM platform that enterprises can own
Keycloak's appeal is real — standards-first, composable, and free from per-seat licensing. The challenge is making it production-grade for regulated environments. That is where Midships comes in.
Standards-first
OIDC, OAuth2, SAML, LDAP/AD federation, and WebAuthn — out of the box, no proprietary extensions required.
Lower total cost of ownership
Open-source core with CPU-based licensing available for Red Hat Build of Keycloak. No per-identity or per-session pricing that scales against you.
Composable architecture
Designed to work alongside external policy, fraud, and analytics systems — including Ping Universal Services for enterprises that want the best of both.
No vendor lock-in
Extensible and fully customisable. Your team owns the platform. Midships' Keycloak Accelerator includes full source code by design.
Red Hat enterprise support
Red Hat Build of Keycloak provides enterprise support, CVE remediation, published lifecycle policy, and certification on OpenShift and major Kubernetes platforms.
Ping interoperability
Keycloak can be integrated with Ping Universal Services to extend identity, risk, and verification capabilities without replacing existing Keycloak deployments.
The Midships Difference
What Midships adds to Keycloak
Out-of-the-box Keycloak leaves gaps that matter in regulated environments — uptime, upgrade safety, advanced journeys, and API-first access. Midships fills all of them.
01
Zero downtime — always
Blue/green and canary deployments for every upgrade. HA clustering and multi-site DR with rehearsed failovers. SRE runbooks and synthetic monitoring to catch issues before customers do.
Blue/green and canary releases
HA clustering — multi-site DR
Rehearsed failover and rollback
Encrypted backups and point-in-time recovery
02
Extended Authentication Flow API
Out of the box, Keycloak pushes teams toward UI-bound flows. Midships provides an Extended Authentication Flow API that lets your applications invoke any Keycloak auth flow directly via API — not just web logins. This powers headless IAM and enterprise-grade journeys without coupling user experience to the Keycloak UI.
Any flow available as an API endpoint
Headless IAM for mobile and embedded apps
Self-service operations without UI dependency
​
03
Modern authentication journeys
Production-ready Authenticator Library for advanced journeys — passwordless, device binding, OTP, profile creation, recovery flows. Templated authenticators for step-up MFA, re-verification, and risk-based decisions.
Passwordless and passkeys (WebAuthn)
Silent device authentication
Digital transaction signing
Step-up MFA — risk-based only
04
Scale without limits
Elastic autoscaling on Kubernetes — EKS, AKS, GKE, OpenShift. Performance tuning for thousands of transactions per second and global workloads. Infinispan and JGroups optimisation and session/cache strategies for high-throughput regulated environments.
Kubernetes autoscaling — all major platforms
Serverless-ready topologies (EKS Fargate, GKE Autopilot)
Global workload performance tuning
05
Everything as code
Git-friendly realm, client, and flow configuration. CI/CD pipelines with audit-ready promotion and automatic rollback. Secrets and configuration rotation, encryption, and vault integrations — HashiCorp Vault and Kubernetes secrets out of the box.
GitOps-native configuration management
HashiCorp Vault and Kubernetes secrets
Audit-ready promotion pipelines
06
Guardian — 24x7 managed operations
SRE-led operations with 99.999% uptime targets. Upgrades, patches, capacity management, and incident response. Quarterly DR drills and evidence packs for auditors. Your team stays focused on business outcomes — Guardian keeps the platform running.
24x7 monitoring and incident response
Zero downtime upgrades under managed operations
Quarterly DR drills and audit evidence packs
Keycloak Accelerator — licensable, white-box deployment framework
The Midships Keycloak Accelerator is a licensable, white-box framework encoding seven years of regulated enterprise Keycloak delivery. Production-ready in two sprints. Full source code included — your team owns the platform. Pre-hardened for PCI-DSS, MAS TRM, and SOC2 from day one.
Accelerator comparison
Out of the box Keycloak vs Midships Accelerator
2 sprints
✓
✓
✓
✓
✓
✓
✓
Vanilla production-ready environment
Extended Authentication Flow API
Kubernetes secrets, HashiCorp Vault, volume-mounted secrets
Multi-cluster, multi-region, multi-cloud
Autoscaling support
Security hardening best practices applied
Parameterised Helm and deployment configuration
Pre-packaged identity journeys (industry standard)
Weeks of manual work
✗
✗
✗
✗
✗
✗
✗
✓
✗
Production-ready Docker images (client-controlled)
Midships Accelerator
Out of the box Keycloak
Factor
Red Hat Build of Keycloak
Midships recommends RHBK for regulated enterprises
Red Hat Build of Keycloak adds enterprise support, lifecycle guarantees, and CVE remediation to the open-source core. Midships adds the delivery and operational expertise to make it production-grade.
What Red Hat provides
Enterprise support with CVE remediation
Published lifecycle and upgrade policy
Certified on OpenShift, RHEL, and Windows
CPU-based commercial licensing available
VM-based to Kubernetes migration
What Midships adds
Zero downtime upgrade patterns and execution
SRE-led operations for always-on identity workloads
Extended Authentication Flow API and Authenticator Library
Audit-ready operations aligned to regulatory expectations
Multi-region HA and DR — designed, drilled, and documented
Keycloak TCO vs traditional IAM providers
Over a five-year period, enterprises consistently save 30 to 60 percent in total identity platform costs when moving from traditional per-seat IAM licensing to Keycloak with Midships. Savings come from licensing, migration efficiency using the Accelerator, and operational leverage through Guardian. Contact Midships to run a TCO comparison for your specific identity footprint.
Proof of performance
Deployed in production for regulated enterprises
0
Downtime on go-lives and upgrades in regulated production
99.999%
Availability target under Guardian managed operations
Multi-region
HA validated through live DR drills — not just design
API-first
Extended Auth Flow API enabling modern onboarding and risk-aware MFA
The Runtime Governance Product
Icebreaker — the Governance and Control Layer
Icebreaker is the control plane for governed AI execution — a patent-pending product from Midships. It implements the Governance and Control Layer of the Enterprise AI Agent Reference Architecture, ensuring every AI-initiated action is aligned to an approved business purpose, enforced through existing enterprise controls, and recorded for audit before execution. No replatforming. No IAM replacement. No API changes.
Common questions
Keycloak Consulting — FAQs
Is Keycloak secure enough for banks and insurers?
Yes — with the right hardening and controls applied. Midships implements encryption, access controls, device trust, SIEM integrations, and security baselines aligned to PCI-DSS, MAS TRM, and SOC2 as standard. The Keycloak Accelerator ships pre-hardened. Keycloak is deployed in production for multiple tier-one banks in Asia Pacific.
Can you deliver zero downtime on Keycloak upgrades?
Yes. Midships delivers blue/green and canary releases with pre-flight rehearsal and automatic rollback, keeping customer journeys live throughout. Every upgrade is rehearsed in lower environments with confirmed rollback procedures before production. We have executed Keycloak upgrades for regulated enterprises without a single minute of downtime.
What is the Extended Authentication Flow API?
Out of the box, Keycloak constrains applications to UI-bound flows and limited programmatic access. Midships' Extended Authentication Flow API exposes any Keycloak authentication flow as a callable API endpoint — enabling headless IAM, modular enterprise journeys, and self-service operations without coupling user experience to the Keycloak UI. This is part of the Keycloak Accelerator.
Does Midships recommend community Keycloak or Red Hat Build of Keycloak?
For regulated enterprises, Midships recommends Red Hat Build of Keycloak. It provides enterprise support with CVE remediation, a published lifecycle and upgrade policy, and certification on OpenShift and major Kubernetes platforms. The additional cost is justified by the risk reduction and operational certainty it provides in regulated environments.
Can Keycloak integrate with Ping Identity?
Yes. Keycloak can be integrated with Ping Universal Services to extend identity, risk, and verification capabilities. Midships designs and implements these integrations, enabling enterprises to combine Keycloak's open-source flexibility with Ping's advanced fraud detection and digital identity verification — without disrupting existing authentication flows.
What does Guardian cover for Keycloak
Guardian provides 24x7 SRE-led managed operations for Keycloak and RHBK environments — monitoring, incident response, upgrades, patches, capacity management, and quarterly DR drills with evidence packs for auditors. Guardian can take over operations of an existing Keycloak environment we did not deploy. SLA is custom per client with 99.999% availability as the standard target.