Applying Identity Provider across Tenup Product Suite

99.99%

IDP Up Time

20%

Development cost reduced per
Product

100%

Compatible with OpenID, OAuth 2.x integrations
Implementing Identity Management and SSO

Eases Through Growth Pains with Keycloak SSO Implementation

Click here to download

Customer Overview

TenUp offers a suite of SaaS products built on a multi-tenant cloud architecture, enabling enterprises to access different applications on demand. As the platform expanded, customers needed a frictionless way to move across products while keeping their profiles consistent and secure. This created a strong need for centralized identity management, supported through a scalable Keycloak implementation for SaaS to deliver a unified identity experience, maintain trust, simplify access, and support enterprise adoption at scale.

Project Overview

The existing identity setup required users to authenticate separately for each SaaS product, creating unnecessary friction and increasing operational effort for TenUp’s internal teams. With more applications being added to TenUp’s SaaS ecosystem and user volumes growing, this fragmented model became unsustainable. TenUp needed a centralized identity foundation powered by a flexible Keycloak implementation for SaaS, ensuring high availability, synchronized user profiles, and seamless access across all products. The objective was to build a scalable and cost-efficient identity layer to anchor the next phase of TenUp’s multi-tenant platform growth.

Challenges

To support a growing suite of SaaS applications, TenUp required a centralized identity foundation, strengthened through a robust Keycloak implementation for SaaS, that could unify authentication, profile management, security workflows, and third-party integrations across its entire SaaS product ecosystem.

  • Establishing a single, unified identity for each user across all TenUp products, ensuring consistent authentication and profile continuity throughout the multi-application ecosystem.
  • Centralizing critical identity functions such as registration, terms and conditions acceptance, audit logging, email verification, password expiry handling, password reset flows, authentication, and authorization.
  • Supporting both social login (Google, Facebook, LinkedIn) and enterprise identity federation, enabling flexible onboarding patterns for users across different organizations.
  • Providing a centralized user profile management interface where any profile updates instantly propagate across all products the user has access to.
  • Enforcing mandatory email validation to confirm user identity and guarantee reliable account recovery in any scenario.
  • Implementing secure API key management per application so third-party systems can integrate with TenUp’s products over OAuth 2.0.
  • Detecting brute-force login attempts and triggering automated tenant notifications to enable administrators to take timely defensive action.
  • Ensuring the identity system integrates smoothly with development workflows, scales reliably, supports high availability, and remains fully customizable for commercial use across the entire product suite.

Solution

TenUp modernized its identity foundation by adopting Red Hat Keycloak as a unified, standards-based platform and extending it to support the needs of a growing multi-application ecosystem. This Keycloak implementation for SaaS served as the backbone for centralized identity management, multi-tenant authentication flows, and seamless product-to-product access.

  • Evaluated multiple open-source identity providers across functionality, extensibility, support ecosystem, and commercial readiness, and selected Red Hat Keycloak as the platform best suited to deliver centralized authentication, unified user lifecycle management, standards-based protocols, and high availability for TenUp’s product suite.
  • Leveraged built-in capabilities such as registration, authentication, password reset, email verification, OAuth 2.x, and OpenID Connect to unify identity management across all SaaS products and simplify integration for third-party systems.
  • Extended the authentication flow so that after the IDP validates user credentials, it invokes TenUp’s custom authorization service for secondary checks, including application-level access rights, subscription status, and tenant-level restrictions, one of the key enhancements made during the Keycloak implementation for SaaS.
  • Customized the login, registration, forgot-password, and email templates to align with TenUp’s product branding and added additional fields to the registration flow to support enhanced user onboarding requirements.
  • Extended the User Account Management Console in Keycloak by redesigning the UI/UX and linking each product in the ecosystem to this module. This ensured a consistent profile experience across all SaaS products, supporting both identity management and the broader Keycloak implementation for SaaS requirements.
  • Enabled secure social login by integrating Google as an identity provider, simplifying user onboarding through standard OAuth credentials.
  • Utilized the platform’s administrative REST APIs to automate user provisioning, invitation workflows, and external integrations, allowing third-party applications to create clients, retrieve API credentials, and interact securely with the system over OAuth.

Benefits

A centralized identity management foundation, strengthened by a tailored Keycloak implementation for SaaS, delivered measurable gains across security, productivity, and operational efficiency. By unifying authentication and user lifecycle workflows, the platform enabled TenUp to scale its multi-application ecosystem with lower cost and greater reliability.

  • Reduced identity management cost by adopting an open-source IDP that provides enterprise-grade authentication, authorization, SSO, and user lifecycle features without licensing overhead.
  • Accelerated product development by enabling teams to integrate new products with a ready identity layer, eliminating the need to build authentication flows from scratch.
  • Improved user productivity through seamless single sign-on across all TenUp products, minimizing login friction and enhancing overall experience.
  • Simplified IT administration with a centralized dashboard for authentication, access control, audit logs, and identity workflows across the entire platform.
  • Increased reliability and scalability through a high-availability identity foundation capable of supporting a growing multi-product ecosystem.
  • Strengthened security posture by standardizing credential handling, email verification, password policies, brute-force detection, and secrets managed securely outside code repositories.
  • Enhanced operational efficiency by automating provisioning, invitation workflows, and admin tasks via REST APIs, reducing manual effort and ongoing management costs.

Technology

  • Red Hat Keycloak
  • Custom Authorization Service
  • Keycloak REST APIs
  • Google OAuth
  • Custom UI/UX Extensions
  • Extended User Account Management Console
  • Email and Notification Workflows

Industry

  • SaaS
Challenges in managing identity provider

Conclusion

By adopting a centralized, open-source identity management platform built through a customized Keycloak implementation for SaaS, TenUp consolidated authentication across its entire SaaS ecosystem and delivered a seamless, unified access experience for all users. The new setup enables customers to register once and securely access every authorized product with the same credentials, while supporting enterprise-grade availability with a maintained SLA of 99.9%

Frequently asked questions

What is centralized identity management in a SaaS ecosystem?

faq arrow

Centralized identity management in SaaS means using one identity provider to handle all logins, permissions, and user profiles across every product. Users sign in once for seamless SSO, while IT manages access, provisioning, and security from a single control point.

Why do growing SaaS platforms rely on Keycloak for identity management?

faq arrow

Growing SaaS platforms rely on Keycloak because it delivers enterprise-grade SSO, OAuth/OIDC security, multi-tenancy, and identity federation without licensing costs. It accelerates time-to-market by providing ready-made authentication features and lets teams scale securely without building identity infrastructure from scratch.

How does implementing Keycloak improve SSO across multiple SaaS products?

faq arrow

Keycloak improves SSO in SaaS environments by acting as a single identity provider that authenticates users once and issues secure tokens for all connected applications. This eliminates repeated logins, provides a consistent user experience, and enforces unified security policies like MFA and session control across every product.

How does Keycloak help with enterprise onboarding and identity federation?

faq arrow

Keycloak simplifies enterprise onboarding and identity federation by connecting directly to systems like Active Directory, Azure AD, Okta, and Google Workspace using SAML, OAuth 2.0, and OIDC. This lets organizations use their existing identity provider to access your SaaS products with seamless SSO, no duplicate accounts, and unified access control from day one.

What security features does Keycloak add to SaaS products?

faq arrow

Keycloak enhances SaaS security by centralizing identity control and enforcing MFA, brute-force protection, strong password policies, email verification, audit logging, and token-based API authentication. It ensures consistent enterprise-grade security across all products without custom security code in each app.

How does centralized identity management reduce operational costs for SaaS companies?

faq arrow

Centralized identity management cuts SaaS operational costs by unifying authentication, provisioning, and user updates into one system. This reduces support tickets, eliminates duplicate access workflows, lowers engineering maintenance, and automates onboarding/offboarding, saving both IT effort and infrastructure spend.

Can Keycloak support custom login flows and UI for SaaS branding?

faq arrow

Yes. Keycloak fully supports custom login flows and branding, letting SaaS platforms tailor login pages, registration steps, email templates, and authentication logic to match their UI/UX. Teams can theme the entire identity experience while still using a centralized identity provider underneath.

How do SaaS companies measure the ROI of a Keycloak implementation?

faq arrow

SaaS companies measure Keycloak ROI by tracking faster product launches, lower identity-related support costs, reduced licensing spend, improved user retention from seamless SSO, and the security gains that prevent costly breaches. The savings from avoided custom auth development often deliver the highest return.

Download Case Study
Contact us