# Managed Keycloak Switzerland

> Managed Keycloak on Swiss cloud infrastructure. 24/7 operations, up to 99.99% SLA, unlimited users, fixed price from CHF 360/month. By VSHN and Inventage.


Enterprise Identity and Access Management on Swiss cloud infrastructure. VSHN operates your Keycloak instances with 24/7 support and up to 99.99% availability SLA. Inventage provides expert-level Keycloak engineering and consulting. From CHF 360 per month.


## Pages

- [Homepage](https://www.managed-keycloak.ch/): Managed Keycloak in Switzerland – IAM as a Service | VSHN
- [Okta vs Auth0 vs Managed Keycloak — IAM Cost Comparison | VSHN](https://www.managed-keycloak.ch/comparison.md)
- [Open-Source IAM Comparison: Keycloak, Authentik, Zitadel](https://www.managed-keycloak.ch/open-source-iam.md)
- [Partner with VSHN on Managed Keycloak | VSHN](https://www.managed-keycloak.ch/partners.md)
- [Keycloak Sovereignty — Swiss IAM Hosting | VSHN](https://www.managed-keycloak.ch/sovereignty.md)

## Features

- **Keycloak Expertise from Inventage**: Inventage operates the Keycloak Competence Center Switzerland and provides Level 3 engineering support for your Keycloak deployment. Their engineers build custom extensions, resolve complex configuration issues, and contribute to the Keycloak project. Clients include Baloise, LGT, VP Bank, Zürich Insurance, and the Swiss Federal Office of Information Technology.

- **24/7 Operations by VSHN**: VSHN operates your Keycloak instances: monitoring, patching, upgrades, incident response, and backup management. Our ISO 27001-certified operations team provides round-the-clock coverage so your identity infrastructure is always available.

- **Digital Sovereignty & Swiss Hosting**: Identity is the foundation every other service depends on. It is the starting point for any digital sovereignty initiative. Managed Keycloak runs on Swiss cloud providers (cloudscale.ch, Exoscale), on Enterprise Private Cloud, or on your own on-premises infrastructure. Your identity data stays where you control it. VSHN is a Swiss-owned company with no foreign parent or investors, and all contracts are governed by Swiss law with no exposure to the US CLOUD Act. For customers requiring sovereign key custody, encryption with customer-controlled keys is available via the open PKCS#11 standard, supporting a broad selection of HSM vendors. For example, [Securosys CloudHSM](https://www.securosys.com/cloud-security/cloudhsm-overview) is a Swiss hardware security module where VSHN cannot access the key material. Because Keycloak is open source, you are never locked in. You can change service providers at any time. Learn more in our [sovereignty assessment](/sovereignty/).

- **Self-Service on Servala**: Order managed Keycloak instances through Servala with automated provisioning on eight cloud providers, including Enterprise Private Cloud and on-premises. Choose between Best Effort for development workloads or Guaranteed Availability with 99.99% SLA for production. PostgreSQL database, TLS encryption, and automated backups included.

- **Enterprise IAM Features**: Consolidate authentication across your organization with Single Sign-On, multi-factor authentication, and federation with LDAP or Active Directory. Keycloak supports up to 100 realms with unlimited users, custom themes, and standards-based protocols (OAuth 2.0, OpenID Connect, SAML 2.0) for integration with any application.

- **Open Source — No Lock-in**: Keycloak is licensed under Apache 2.0, originally created by Red Hat and now a CNCF incubating project. Standards-based protocols (OAuth 2.0, OpenID Connect, SAML 2.0) mean your integrations work with any provider. Your realms, users, and configuration belong to you, not to your service provider.


## What VSHN and Inventage deliver

- 24/7 operations and monitoring by VSHN
- Expert Keycloak engineering by Inventage
- Automated daily backups with encrypted off-site storage
- Continuous upgrades to the latest Keycloak version
- Security patches applied proactively
- Deployment on cloudscale.ch, Exoscale, Enterprise Private Cloud, on-premises, and additional providers via Servala
- Custom themes, extensions, and enterprise integrations supported
- Consulting and onboarding package available (CHF 8,000 / 5 days)

## Managed Keycloak pricing

- **Managed Keycloak** — CHF 360/month — Best effort SLA, 1 instance
- **Managed Keycloak HA** — CHF 1,500/month — 99.99% SLA, 2 instances + test/dev

Cloud provider computing resources charged separately. PostgreSQL database included. Business hours support included; 24/7 support plan optional.


## Trusted by Swiss organizations

- [HIN](https://www.vshn.ch/en/success-stories/hin-health-info-net/)
- [acrevis](https://www.vshn.ch/en/success-stories/acrevis/)
- [Schweizerisches Bundesarchiv BAR](https://www.vshn.ch/en/success-stories/schweizerisches-bundesarchiv-bar/)
- [Comerge](https://www.vshn.ch/en/vshn-partner/comerge/)

## Managed Keycloak FAQ

### What is Keycloak?

Keycloak is an open-source Identity and Access Management (IAM) solution that provides Single Sign-On (SSO), multi-factor authentication, social login, user federation with LDAP and Active Directory, and fine-grained authorisation. It supports industry-standard protocols including OAuth 2.0, OpenID Connect, and SAML 2.0. Keycloak is backed by Red Hat and is a CNCF incubating project, licensed under Apache 2.0.


### Who operates managed Keycloak?

VSHN provides Level 2 operations: 24/7 monitoring, infrastructure management, patching, upgrades, backups, and incident response. Inventage provides Level 3 engineering support: expert analysis of Keycloak configuration, custom extensions, and core product issues. Together, this three-tier model (your team for Level 1 end-user support, VSHN for operations, Inventage for engineering) covers the full support stack.


### What SLA is available for managed Keycloak?

The Best Effort plan at CHF 360 per month includes professional operations without a formal uptime commitment, suitable for development and staging environments. The Guaranteed Availability plan at CHF 1,500 per month provides 99.99% uptime SLA with two Keycloak instances and a PostgreSQL database, backed by 24/7 monitoring and incident handling. A dedicated test and development instance is included at Best Effort tier.


### Which cloud providers are supported?

Managed Keycloak is available on Swiss cloud providers including cloudscale.ch and Exoscale, both operating data centers exclusively in Switzerland. Through Servala, Keycloak is also available on Xelon, Switch, Levigo, APPUiO, Managed OpenShift, and Enterprise Private Cloud. Swiss providers are recommended for organizations with data residency requirements.


### How are backups handled?

All Keycloak data is stored in a managed PostgreSQL database. Automated daily backups with six retained copies by default. VSHN uses CloudNativePG with Barman for backup orchestration. Deletion protection is available as an additional safeguard.


### Can I use custom themes and extensions?

Yes. Managed Keycloak supports custom themes for login pages, account management, and email templates, including logos, colours, fonts, and custom stylesheets. Custom extensions are supported via container images. Inventage develops custom authenticators, event listeners, protocol mappers, and federation providers as part of their Level 3 engineering service.


### What Keycloak features are included?

Each managed Keycloak instance supports up to 100 realms with unlimited users, admin console access, built-in metrics and dashboards, custom subdomain configuration, keycloak-config-cli for declarative configuration, and TLS-encrypted PostgreSQL database. High-availability configurations use Infinispan clustering across two or three instances with zero-downtime maintenance.


### Why is managed Keycloak important for digital sovereignty?

The [EU Cloud Sovereignty Framework](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) defines eight dimensions of cloud sovereignty, from data residency and legal jurisdiction to operational independence and open-source technology. Managed Keycloak addresses all of them: your data stays on Swiss cloud providers (cloudscale.ch, Exoscale) with no exposure to the US CLOUD Act, VSHN's Swiss-based operations team independently manages patching and upgrades without non-European vendor involvement, and Keycloak's open-source license and open standards (OAuth 2.0, OpenID Connect, SAML 2.0) ensure you are never locked in. Identity is the service every other application depends on, making it the natural starting point for a sovereignty strategy. See our [sovereignty assessment](/sovereignty/) for details on how VSHN scores against the EU Cloud Sovereignty Framework.


### How does managed Keycloak compare to self-hosted?

Self-hosting Keycloak requires Kubernetes expertise, database administration, backup automation, security patching, and on-call coverage. Managed Keycloak provides all of this as a service with a fixed monthly fee. VSHN handles the infrastructure and operations while Inventage provides engineering expertise that would be difficult to build in-house. For production workloads, the Guaranteed Availability plan includes 99.99% SLA and 24/7 support.


### How do I get started?

The fastest way is to order managed Keycloak through Servala at servala.com/service/keycloak/ for self-service provisioning on your choice of cloud provider. For enterprise deployments with custom requirements, contact us using the form below. VSHN and Inventage offer a consulting and onboarding package (CHF 8,000 for 5 days, 40 hours) covering architecture design, realm configuration, identity provider integration, and theme customization.


### Can we migrate from Active Directory or ADFS to Keycloak?

It depends on what you are migrating away from. If your applications use ADFS or Entra ID (formerly Azure AD) for OpenID Connect or SAML authentication, switching to Keycloak is straightforward: Keycloak supports the same protocols, so you reconfigure each application to point to Keycloak as the identity provider. VSHN and Inventage handle the Keycloak deployment, realm setup, and application onboarding. Replacing on-premises Active Directory itself is a different matter. AD is deeply integrated into Windows infrastructure, Group Policy, file shares, and Kerberos-based authentication across most enterprises. A full AD replacement is a significant organizational effort that typically takes months to years and cannot be automated. Keycloak supports LDAP federation with AD, so both systems can coexist during a gradual transition. VSHN and Inventage can deploy and operate your managed Keycloak instance, configure LDAP federation, and set up protocol bridges for applications that need to authenticate against both systems. For the broader AD decommissioning, including application inventory, Group Policy migration, and organizational change management, you will need a dedicated integration partner alongside the Keycloak operations that VSHN provides.


### Can agencies deploy managed Keycloak for client projects?

Yes. Agencies and system integrators use VSHN-managed Keycloak to provide identity and access management for client applications. Each client gets a dedicated Keycloak instance with full tenant isolation on Swiss cloud infrastructure. VSHN handles operations, updates, and 24/7 monitoring while your team configures realms, clients, and authentication flows for the application. Invoice billing and written service agreements simplify cost allocation across client engagements.


## Contact us

Need managed Keycloak or IAM consulting? Order on Servala at servala.com/service/keycloak/, or contact us for a free initial consultation with VSHN and Inventage. Want to hear from a customer first? We can arrange a reference call.


Booking: #contact