Identity is the central security layer in 2026: those who fail here, fail everywhere. Yet many mid-market businesses still operate six to eight login worlds – AD for Windows clients, separate cloud logins for Microsoft 365, dedicated accounts for the ERP, dedicated again for the wiki, dedicated again for the VPN. SecTepe.Comm sets up a central identity layer with Keycloak – and a lightweight AD connector that integrates hybrid environments without migration pain.
Why SSO – and Why Keycloak?
SSO brings three non-negotiable advantages: fewer passwords (= less phishing surface), centralized offboarding (a user is disabled once and is offline everywhere), and a single audit trail. Keycloak has been the open-source standard for this for years: OIDC, SAML 2.0, optional FIDO2/WebAuthn, robust MFA options, brute-force protection, fine-grained role mapping.
What Makes the SecTepe.Comm Integration Different
- Auto-provisioning of realms: On deployment, Keycloak clients for Mailcow, RocketChat, BookStack, GitLab, Grafana, etc. are set up automatically – including group/role mapping.
- SSO bridges for non-OIDC apps: Tools that only speak LDAP or header auth get a bridge container that translates OIDC tokens into the respective auth model.
- CTI IP check as authenticator: Before login, Keycloak checks the integrated CTI stack whether the source IP appears on a block list – phishing logins from known C2 IPs are rejected directly.
- Self-service recovery: Password reset and MFA recovery run via the Keycloak account console – no helpdesk ticket required.
The AD Connector: Bridge Instead of Big Bang
Most mid-market businesses have a working AD forest – and no plan to migrate it. The SecTepe.Comm AD connector is an on-prem sidecar that:
- Synchronizes user lists, groups, and status (active/disabled) bidirectionally.
- Enables Kerberos SSO for domain-joined clients – single sign-on without browser credential entry.
- Maps AD groups automatically to Keycloak roles – e.g. "Domain Admins" → "mail-security-admin".
- On disable in AD, deactivates the user in Keycloak – and thereby in all integrated apps – within 30 s.
MFA: Reasonable Instead of Annoying
A good MFA plan makes protection invisible and the failure risk small:
- FIDO2 hardware keys (e.g. YubiKey) for admins, operators, and privileged roles – mandatory.
- TOTP (Authy, Google Authenticator) for regular users – default.
- Push notifications via mobile app for "convenience" logins (per-user opt-in).
- Backup codes with self-service printing.
- Social-engineering-resistant WebAuthn flow benefits awareness training too: no "read-the-code-on-the-phone" vector anymore.
Avoiding Vendor Lock-In
Microsoft Entra ID is powerful – and expensive when you really use the good features (conditional access, privileged identity management). It also centralizes identity in the Microsoft cloud, which is increasingly questionable in light of NIS-2 and Schrems II discussions. A Keycloak-based stack is standards-compliant enough that a later migration is not ruled out – and at the same time sovereign enough that it is not forced.
Operational Reality
A Keycloak instance serving 5,000 users and 30 apps runs comfortably on a 4-vCPU VM with 8 GB RAM – hosting costs under €50/month. The license: Apache 2.0. Support: via commercial partners (SecTepe included) or self-maintenance via the active community.
Conclusion
Identity is the security layer where investment pays off the most – no mail filter, sandbox, or SIEM compensates for an uncontrolled identity inventory. Keycloak plus AD connector is the pragmatic, vendor-neutral, EU-sovereign answer to it. Time investment for a clean initial integration: two to four weeks with expert support. Afterwards, every new app is integrated in hours, not weeks.