Keycloak integration with Otomi Container Platform

With Keycloak fully integrated in Otomi Container Platform, you can choose your favorite identity provider to provide Single Sign On and Role Based Access to Otomi Console, Otomi Apps and all configured services.

About Otomi Container Platform

Otomi Container Platform is a (soon to be open source) solution developed by a Dutch startup called Red Kubes. It offers a set of pre-installed and configured leading open source components working in tandem, ready for you to use and installed within a couple of minutes. It combines around 40 Helm charts as a single chart.

Otomi Container Platform is based on an opinionated and curated stack (Otomi Core) controlled by a custom developed API. This offers maturity and speed while still providing customization when desired. A curated stack solution like Otomi Container Platform offers lots of benefits in terms of governance, security and most of all speed in delivering added.

Otomi Container Platform offers a true cloud agnostic way of managing container workloads on all clouds, while still taking advantage of supporting Cloud services. You can get services up and running and publicly exposed in minutes without having to setup a pipeline or having to write any YAML code.

About Keycloak

Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. Keycloak adds authentication to applications and secure services. No need to deal with storing users or authenticating users. It’s all available out of the box. You’ll even get advanced features such as User Federation, Identity Brokering and Social Login.

Keycloak integration in Otomi Core

With the integration of Keycloak it is possible to add your company directory (like Azure AD) or a social Login (like GitHub) as an external IDP. When configured, Keycloak will act as an Oauth2 broker for all services, including Otomi Apps (see figure 1). When a user is authenticated, Istio policies (using JWT-tokens) will determine if a user has access to a service.

Figure 1: All integrated Otomi Apps
Figure 2: Select your favorite IDP in Keycloak

Single-Sign On for applications

Users of applications exposed using Otomi Container Platform can authenticate with Keycloak rather than individual applications. This means that your applications don’t have to deal with login forms, authenticating users, and storing users. Once logged-in to Keycloak, users don’t have to login again to access all different application. This also applies to logout. Keycloak provides single-sign out, which means users only have to logout once to be logged-out of all applications that use Keycloak.


The Otomi Core teams feature supports tenants on the platform. Teams can be used to support DevOps teams, projects or even different organizations sharing the same platform. A team can operate on multiple Kubernetes clusters, even when running on different Clouds. A team will get access to the Otomi Console (the UI), providing access to all the tools needed for complete visibility. Team members are provided access to a team with Roles configured in Keycloak. Using Keycloak, Otomi Container Platform now offers full RBAC.


The service feature in Otomi Container Platform can be used for easy deployment of (serverless) container workloads and exposing these services with a public URL. The services feature now provides the option to automatically add SSO to a service (using only a single configurable IDP). With the Keycloak integration, it is going to be possible to select an IDP and add configure RBAC for publicly exposed services. This will bring all the Keycloak features to be used for all applications deployed and exposed using Otomi Container Platform.


Having a single IDP for all services still doesn’t solve all user management issues. Harbor has its own RBAC based on Projects. Using the Harbor API Otomi Core will automatically configure the RBAC for Harbor. When a team is created, a new project in Harbor is automatically created and the group configured for the team will automatically get access to the project.

Having an OIDC compliant IDP allows to seamlessly connect all Otomi applications behind Keycloak SSO, mapping teams and their users transparently to the roles in the application. Most applications are becoming OIDC compliant, but even those that are not are still secured with SSO.

Want to know more, visit



CTO @ Red Kubes | Cloud Solutions Architect | CKA | CCSP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store