Zero trust with Webauthn / Fido2


I am trying to implement a zero trust access proxy with fido2 authentication and keycloak seems to be a promising candidate.

Can someone tell me if my assumption about the capabilities of keycloak are correct?


  • on-premise services only, no online service can be used for authentication or identity management
  • full webauthn / fido2 support without third party components
  • support for non web applications, like ssh and smtp

optionally I already have a freeIPA server that I want to use for Identity management (especially for SSH certificates)

Is this at all possible with keycloak or did I misunderstand some critical part of the documentation?