Images
>Keycloak-fips

Keycloak-fips

Supports single sign-on (SSO), OAuth2, OpenID Connect, SAML, LDAP integration, and user federation.

quay.io/keycloak/keycloak
quay.io/keycloak/keycloak
bitnami/keycloak
bitnami/keycloak
jboss/keycloak
jboss/keycloak
dexidp/dex
dexidp/dex

What is Keycloak-fips?

The keycloak-fips image provides a FIPS 140-2 compliant build of Keycloak, an open-source identity and access management solution. Keycloak supports single sign-on (SSO), OAuth2, OpenID Connect, SAML, LDAP integration, and user federation out of the box.

This image is hardened to use FIPS-approved cryptographic modules, which are required in regulated environments such as U.S. federal systems or industries like healthcare and finance. It ensures that all TLS, hashing, and encryption operations comply with FIPS standards.

The keycloak-fips image is designed for organizations deploying secure authentication and authorization services that must meet compliance requirements without sacrificing Keycloak’s extensibility and federation capabilities.

How to use this image

This image is typically run as a containerized identity service inside a Kubernetes cluster or on a hardened VM.

Run Keycloak FIPS in standalone mode (development only):

<code>docker run -d -p 8443:8443 \  -e KEYCLOAK_ADMIN=admin \  -e KEYCLOAK_ADMIN_PASSWORD=admin \</code>

<code>quay.io/keycloak/keycloak:23.0.7-fips \  start --https-port=8443 --hostname-strict=false</code>

Run in Kubernetes with Helm:

You can override the image via values:

<code>image:  repository: quay.io/keycloak/keycloak  tag: 23.0.7-fips</code>

Enable TLS and FIPS-specific options:

Ensure your runtime environment (e.g., RHEL, UBI) supports FIPS mode and the underlying OS kernel and crypto libraries are FIPS-compliant.

Logging and ports:

Keycloak logs to stdout. HTTPS typically listens on port 8443. Admin UI is available at https://<host>:8443/admin.

Image variants

The Keycloak FIPS image is published under quay.io/keycloak/keycloak with -fips tags for each supported version.

quay.io/keycloak/keycloak:<version>-fips

FIPS-compliant variant of the given Keycloak release (e.g. 23.0.7-fips).

Use in regulated environments requiring validated cryptographic standards.

quay.io/keycloak/keycloak:<version>

Standard version without FIPS hardening.

Use in general-purpose identity deployments where FIPS is not required.

There is no separate repo for FIPS—these variants are part of the official Keycloak image lineage and are built from Red Hat’s FIPS-compatible Java runtime.

Interested in base images that start and stay clean?

This is a not a valid email
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Chat with a product expert