Skip to content

Keycloak Plugin

The Keycloak plugin registers Keycloak realm and runtime state as a Konduo resource. It is a resource plugin for Keycloak operations and read-only directory evidence, not a Konduo authentication provider.

Highlights

  • Provides issuer discovery, Admin API readiness, and read-only user/group views.
  • Connects HTTP, JVM, DB pool, cache, worker pool, session, and password hashing signals through a Prometheus mapping pack.
  • Separates diagnostics for discovery, Admin API, metrics, and historical evidence.
  • Alert rules cover JVM pressure, DB waits, worker saturation, cache efficiency, and scrape evidence.

Before Registration

  • Prepare issuer URL, Admin API service account client id/secret, and read-only realm-management roles.
  • Use least-privilege roles such as view-realm, view-users, and query-users for directory views.
  • Metric dashboards require label filters that select the Keycloak scrape target.

Operations Tips

  • This plugin does not change Konduo login behavior.
  • Directory users and groups are normalized response rows, not persisted Konduo identities.
  • Treat generic availability as Core health/probe state and metric rules as Keycloak-domain risk signals.

Keycloak Enterprise Overlay

The Keycloak Enterprise overlay adds MCP descriptors, anomaly rules, Admin API diagnostics, and metric mapping to Keycloak resource monitoring. Login is handled by the separate auth-oidc provider; the Keycloak plugin focuses on realm operations and diagnostics.

Highlights

  • Provides dashboard templates, monitoring overview, diagnostics, metrics mapping, and alert/anomaly rule catalogs through MCP.
  • Surfaces Admin API discovery, realm state, JVM, DB pool, worker, cache, and authentication traffic pressure as diagnostic evidence.
  • Prometheus mapping packs connect Keycloak logical metrics to concrete metric names.
  • Related instance templates help create an auth-oidc provider from a monitored Keycloak realm.

Before Registration

  • Prepare Keycloak base URL, realm, Admin API permissions, and metric endpoint exposure.
  • If login integration is needed, register an auth-oidc provider client separately from the Keycloak resource.
  • Keep Admin API service account credentials separate from login client credentials.

Operations Tips

  • Do not use Keycloak directory/Admin API routes as the login processing path.
  • Anomaly rules need metric-source linkage to evaluate meaningful signals.
  • Troubleshoot OIDC login failures separately from Keycloak resource diagnostics failures.