=== Features * SSO and Single Log Out for browser applications * Social Login. Enable Google, GitHub, Facebook, Twitter, and other social providers with no code required. * LDAP and Active Directory support. * Optional User Registration * Password and TOTP support (via Google Authenticator). Client cert auth coming soon. * Forgot password support. User can have an email sent to them * Reset password/totp. Admin can force a password reset, or set up a temporary password. * Not-before revocation policies per realm, application, or user. * User session management. Admin can view user sessions and what applications/clients have an access token. Sessions can be invalidated per realm or per user. * Pluggable theme and style support for user facing screens. Login, grant pages, account mgmt, and admin console all can be styled, branded, and tailored to your application and organizational needs. * Integrated Browser App to REST Service token propagation * OAuth Bearer token auth for REST Services * OAuth 2.0 Grant requests * OpenID Connect Support. * SAML Support. * CORS Support * CORS Web Origin management and validation * Completely centrally managed user and role mapping metadata. Minimal configuration at the application side * Admin Console for managing users, roles, role mappings, clients, user sessions and allowed CORS web origins. * Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc. * Deployable as a WAR, appliance, or on Openshift. Completely clusterable. * Multitenancy support. You can host and manage multiple realms for multiple organizations. In the same auth server and even within the same deployed application. * Identity brokering/chaining. You can make the Keycloak server a child IDP to another SAML 2.0 or OpenID Connect IDP. * Token claim, assertion, and attribute mappings. You can map user attributes, roles, and role names however you want into a OIDC ID Token, Access Token, SAML attribute statements, etc. This feature allows you to basically tailor how you want auth responses to look. * Can support any platform that has an Open ID Connect or SAML 2.0 client adapter. {{book.project.name}} does provide client adapters for Pure HTML5/Javascript apps, JBoss AS7, JBoss EAP 6.x, JBoss EAP 7, Wildfly, Tomcat 7, Tomcat 8, Jetty 9.1.x, Jetty 9.2.x, and Jetty 8.1.x. * Tons of SPIs for customizing every aspect of the server.