Keycloak for Maritime Identity Management: Single Sign-On Across Vessel Applications

The Identity Problem in Maritime Software

A vessel running a modern communication stack has multiple applications requiring authentication:

• Communication platform (Matrix)
• SIP phone client
• Fleet management system
• Maintenance management system
• Cargo management (for cargo vessels)
• Electronic chart system (ECS) access

Each application has its own authentication. In a poorly integrated deployment, a crew member has separate credentials for each system. Password resets require IT intervention for each platform. When a crew member transfers to a different vessel, their access must be updated in each system independently.

This is a common source of operational overhead and security risk.

What Keycloak Provides

Keycloak is an open-source Identity and Access Management (IAM) platform with full support for:

• SAML 2.0 — for older enterprise maritime applications
• OpenID Connect (OIDC) — for modern web applications and PWAs
• LDAP/Active Directory sync — for vessels with Windows-based IT environments
• Single Sign-On (SSO) — one login, all applications
• User federation — sync crew identities from external systems (crewing software, HR platforms)
• Multi-factor authentication — for bridge or medical officer access to sensitive systems

In a Keycloak-integrated maritime stack, the crew member logs in once. All connected applications trust the Keycloak-issued token. No separate credentials.

The Maritime SSO Architecture

Crew Management System (HR)
         ↓ User Sync
    Keycloak (on vessel)
    ┌──────────────┐
    │  Realm:      │
    │  shipwize    │
    │  Groups:     │
    │  - Bridge    │
    │  - Engineering│
    │  - Medical   │
    └──────────────┘
         ↓ OIDC / SAML
[Matrix] [SIP Client] [Fleet Mgmt] [Maintenance]

The crew management system (ashore) exports crew rosters via API or scheduled feed. Keycloak user federation syncs these to the local vessel realm. When a crew member logs in to any Keycloak-connected application, their group membership (role) determines access permissions.

Provisioning and Deprovisioning

The operational value of Keycloak is most apparent at crew changeover:

Without Keycloak: IT officer logs in to each system separately. Creates account in communication platform. Creates SIP extension in PBX. Sets up permissions in fleet management. Each step is manual. Missing one means the new crew member lacks access until someone notices.

With Keycloak: Crew roster is updated in the crewing system ashore. Keycloak federation pulls the update. The new crew member's account is active in all connected systems within the sync interval (typically 15–30 minutes). No manual steps.

Similarly, when a crew member departs: Keycloak disables the account. All connected applications reject their credentials within minutes. The security risk of stale credentials is eliminated.

Role-Based Access Control

Keycloak groups map to operational roles. A crew member in the "Bridge" group receives access to bridge navigation software but not to engineering management. A contractor in the "Contractor-Electrical" group receives access to electrical maintenance ticketing but not to safety management documentation.

This granular access control is configured centrally in Keycloak and applied consistently across all connected applications.

Multi-Vessel and Shore Integration

For fleet operators:

• Keycloak realms can be configured per-vessel with replication to shore
• Shore-based operators can access aggregated reports with a separate shore-realm identity
• Fleet-wide SSO means a crew member's identity is valid across vessels they transfer to

This last point is significant for fleet rotation: a crew member moving from Vessel A to Vessel B is provisioned on arrival. Their identity follows them.

Implementation Considerations

Network dependency: Keycloak on the vessel must work offline. Deploy Keycloak locally on the vessel server — not in cloud. Authentication against a cloud Keycloak fails when connectivity is interrupted.

Realm export: Back up the Keycloak realm configuration regularly. A full realm restore should take under 15 minutes.

Token caching: Ensure all connected applications cache authentication tokens for appropriate durations (1–24 hours) so a brief Keycloak restart doesn't log everyone out.

LDAP sync conflicts: If integrating with a Windows-based environment using Active Directory, test LDAP sync behaviour carefully before deployment.

Is Keycloak Right for Every Vessel?

A single-vessel operator with three crew applications and minimal rotation probably doesn't need full IAM infrastructure. Manual provisioning is manageable.

A fleet operator with 10+ vessels, 100+ crew per vessel, and 30% monthly crew rotation almost certainly benefits from centralised identity management. The provisioning time savings alone justify the implementation cost within the first year.