Keycloak Session ID Randomization

Good morning. Does anyone know how Keycloak is randomizing it’s session IDs? I support a government client and we have a requirement to validate that Keycloak is using a FIPS approved random number generator (RNG) to create session IDs. I am 99.9% sure it is randomized but I cannot find any information in Keycloak’s documentation to prove it for auditors. Any info helps.

1 Like