diff --git a/assets/style.css b/assets/style.css
index 7ad4fa7b7..d014653b2 100644
--- a/assets/style.css
+++ b/assets/style.css
@@ -1135,6 +1135,19 @@ div, span, html, body, ul, article, main, nav {
   min-width: 0;
 }
 
+/* Tutorials disclaimer */
+[id="tutorial_disclaimer"] {
+    background-color: var(--color-sc-gray-4);
+    border-radius: 8px;
+    margin: calc(var(--spacing) * 12)
+            0
+            calc(var(--spacing) * 18)
+            0;
+    padding: calc(var(--spacing) * 6)
+             calc(var(--spacing) * 4)
+             calc(var(--spacing) * 6)
+             calc(var(--spacing) * 8);
+}
 
 ol.deploy-timeline {
     border-left: 4px solid var(--color-primary-gray-200);
diff --git a/src/_includes/icons/keycloak.svg b/src/_includes/icons/keycloak.svg
new file mode 100644
index 000000000..878570687
--- /dev/null
+++ b/src/_includes/icons/keycloak.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 44.39828 40.0535652173913" xmlns="http://www.w3.org/2000/svg" style="max-height: 500px" width="44.39828" height="40.0535652173913"><path d="M5.795 9.869 11.511.003 34.53 0l5.685 9.964.007 19.932-5.691 9.958-23.012.008-5.782-9.965z" fill="#4d4d4d"/><path d="M5.738 29.894h10.374l-5.698-10.041 4.634-9.982-9.252-.002L0 19.934" fill="#ededed"/><path d="M19.258 29.894h7.583l6.705-9.773-6.588-10.156h-8.92l-5.373 9.814z" fill="#e0e0e0"/><path d="m0 19.933 5.738 9.964h10.375l-5.636-9.93z" fill="#acacac"/><path d="m12.774 19.935 6.485 9.962h7.582l6.6-9.958z" fill="#9e9e9e"/><path d="m15.342 19.94-1.957.57-1.878-.571 7.667-13.29 1.918 3.318" fill="#00b8e3"/><path d="m21.084 29.894-1.908 3.332-5.093-5.487-2.58-7.797v-.004h3.838" fill="#33c6e9"/><path d="M11.508 19.939h-.004v.003l-1.917 3.322-1.925-3.307 1.952-3.386 5.728-9.92h3.834" fill="#008aaa"/><path d="M32.604 29.894h11.612l-.007-19.93H32.604Z" fill="#d4d4d4"/><path d="M32.604 19.966v9.93h11.591v-9.93z" fill="#919191"/><path d="M19.178 33.23h-3.837l-5.754-9.967 1.917-3.32z" fill="#00b8e3"/><path d="M34.519 19.939 26.85 33.227c-.705-1.036-1.913-3.33-1.913-3.33l5.753-9.96z" fill="#008aaa"/><path d="m30.68 33.227-3.83-.001 7.67-13.288 1.916-3.318 1.922 3.34m-3.839-.021h-3.828l-5.755-9.973 1.905-3.314 4.658 5.922z" fill="#00b8e3"/><path d="M36.436 16.618v.003l-1.917 3.318-7.677-13.286 3.841.002z" fill="#33c6e9"/><path d="M175.972 9.98a.193.193 0 0 0-.195.196v19.503c0 .106.086.195.195.195h4.049c.106 0 .195-.09.195-.195V24.31c0-.046.016-.093.05-.13l.181-.204 1.6-1.782a.196.196 0 0 1 .302.016l1.528 2.06 2.735 3.68 1.002 1.347.367.497c.04.05.096.08.159.08h4.7a.2.2 0 0 0 .162-.312l-.973-1.356-1.389-1.954c-.413-.576-.856-1.198-1.333-1.866l-.215-.304-1.76-2.48a1565.7 1565.7 0 0 0-1.934-2.706.19.19 0 0 1 .016-.241l1.551-1.724 3.725-4.14 2.239-2.487a.218.218 0 0 0 .05-.123.195.195 0 0 0-.196-.201h-4.97a.195.195 0 0 0-.143.062l-1.558 1.694-3.324 3.614-2.235 2.428a.194.194 0 0 1-.338-.132v-7.471a.195.195 0 0 0-.195-.195Z" fill="#626262"/><path d="M161.562 9.98a.198.198 0 0 0-.178.12l-5.213 12.065-.003.003-.007.013-.003.01-.674 1.565-.04.096-.087.195h.001l-.073.166v.003l-2.027 4.693-.298.69a.196.196 0 0 0 .178.275h4.3a.196.196 0 0 0 .175-.112c0-.004.004-.004.004-.007l1.498-3.485.248-.576a.199.199 0 0 1 .182-.12h8.08a.19.19 0 0 1 .178.12l1.664 3.866 1.865-6.618-1.499-3.47-1.339-3.098-2.712-6.273a.191.191 0 0 0-.179-.12h-2.526zm7.905 19.58v.003l.086.192c.03.073.099.12.178.12h4.3a.197.197 0 0 0 .179-.276l-.04-.09-2.838-6.567zm-5.87-13.362c.074 0 .147.04.181.117l.943 2.2.952 2.225.285.664a.194.194 0 0 1-.179.272h-4.389a.194.194 0 0 1-.178-.272l.516-1.19 1.69-3.9a.195.195 0 0 1 .18-.116z" fill="#6f6f6f"/><path d="M143.452 9.524c-.826 0-1.617.076-2.368.235v.004-.004h-.003a9.78 9.78 0 0 0-3.556 1.488 10.59 10.59 0 0 0-1.497 1.224c-1.486 1.453-2.428 3.197-2.815 5.176l-.002.003-.014.076-.005.023-.042.225v-.001l-.003.012v.006l-.01.085v.009a11.29 11.29 0 0 0-.126 1.715c0 2.63.816 4.872 2.45 6.727.175.206.367.404.565.599.506.496 1.043.93 1.608 1.3 1.68 1.098 3.619 1.647 5.818 1.647.245 0 .486-.006.724-.023 2.13-.12 4.001-.784 5.615-1.991a10.44 10.44 0 0 0 1.089-.933l.01-.01a9.983 9.983 0 0 0 1.922-2.583c.148-.288.28-.582.396-.887.46-1.174.688-2.457.688-3.845 0-.374-.016-.742-.05-1.1v-.006a9.841 9.841 0 0 0-.783-3.1c-.5-1.15-1.227-2.191-2.183-3.124-.397-.39-.814-.74-1.25-1.052-1.76-1.263-3.817-1.895-6.178-1.895zm.017 3.873c1.66 0 3.059.625 4.197 1.875.062.067.122.136.175.205 1.022 1.214 1.531 2.66 1.531 4.336 0 1.17-.248 2.223-.744 3.162a6.456 6.456 0 0 1-1.138 1.545 5.658 5.658 0 0 1-1.382 1.048c-.79.423-1.67.635-2.64.635a5.57 5.57 0 0 1-2.56-.592 5.46 5.46 0 0 1-1.12-.77 5.668 5.668 0 0 1-.516-.503c-1.14-1.243-1.71-2.751-1.71-4.524 0-.053 0-.103.003-.156.03-1.707.599-3.168 1.707-4.386.83-.912 1.802-1.495 2.913-1.74a6.03 6.03 0 0 1 1.284-.135z" fill="#7d7d7d"/><path d="M120.252 9.98a.193.193 0 0 0-.195.196v19.503c0 .106.086.195.195.195h12.528c.11 0 .196-.09.196-.195v-3.57a.195.195 0 0 0-.196-.194h-8.09a.192.192 0 0 1-.194-.191V10.176a.19.19 0 0 0-.113-.176.174.174 0 0 0-.083-.02h-2.242z" fill="#888"/><path d="M109.792 9.525c-2.923 0-5.394.989-7.415 2.96-.367.36-.7.738-1.002 1.13v.004c-1.352 1.756-2.027 3.84-2.027 6.25 0 1.377.215 2.64.649 3.794l.006-.002-.005.003c.254.695.592 1.336.999 1.948v.003c.003 0 .003.003.003.003a9.828 9.828 0 0 0 1.323 1.58 10.01 10.01 0 0 0 1.984 1.512h.003a9.831 9.831 0 0 0 .953.484h.007l.003.003h.003c1.37.602 2.907.903 4.617.903.503 0 .996-.037 1.475-.106h.01c.308-.043.612-.102.913-.175 1.683-.404 3.225-1.257 4.63-2.557v-.002l.001.002c.281-.258.559-.54.83-.837a.199.199 0 0 0-.007-.27l-2.566-2.643a.19.19 0 0 0-.172-.057.212.212 0 0 0-.116.07c-.685.81-1.465 1.419-2.338 1.822-.867.4-1.826.6-2.874.6-.718 0-1.39-.113-2.011-.341a5.641 5.641 0 0 1-2.057-1.34 5.433 5.433 0 0 1-1.3-2.066h-.007l.007-.001c-.255-.715-.38-1.508-.38-2.385 0-1.723.512-3.118 1.544-4.183.076-.076.152-.153.235-.23 1.184-1.09 2.612-1.636 4.283-1.636.611 0 1.197.076 1.75.229v-.001c1.27.344 2.384 1.085 3.343 2.216.076.09.215.096.29.007l2.498-2.832a.201.201 0 0 0-.003-.264c-1.955-2.147-4.323-3.334-7.1-3.556-.322-.025-.646-.04-.977-.04z" fill="#949494"/><path d="M82.588 9.98a.195.195 0 0 0-.17.29l1.892 3.309 3.423 5.983 1.38 2.41a.2.2 0 0 1 .026.097v7.61c0 .106.086.195.195.195h4.049c.109 0 .194-.09.194-.195v-7.61c0-.033.01-.066.027-.096l.976-1.706 3.704-6.476.757-1.32.503-.88h-.007l.007-.003.754-1.316a.194.194 0 0 0-.168-.29h-4.363a.196.196 0 0 0-.168.095l-3.953 6.803-.003.003v.003l-.212.156-.159.122a.203.203 0 0 1-.082-.076l-.067-.112-.099-.17-3.905-6.73a.196.196 0 0 0-.169-.095zm15.537 2.04v.002l-.004.002z" fill="#aaa"/><path d="M66.598 9.98a.193.193 0 0 0-.196.196v19.503c0 .106.086.195.195.195h14.264c.11 0 .196-.09.196-.195v-3.54a.196.196 0 0 0-.196-.194h-9.825a.195.195 0 0 1-.196-.195v-3.737c0-.106.09-.196.196-.196h8.519a.195.195 0 0 0 .195-.194v-3.394c0-.11-.09-.195-.195-.195h-8.52a.196.196 0 0 1-.195-.195V14.13c0-.11.09-.195.196-.195h9.515a.195.195 0 0 0 .195-.195v-3.565a.195.195 0 0 0-.195-.195h-7.829z" fill="#bcbcbc"/><path d="M47.256 9.98a.193.193 0 0 0-.195.196v19.503c0 .106.086.195.195.195h4.048c.11 0 .196-.09.196-.195V24.31c0-.046.016-.093.05-.13l.842-.942.94-1.044a.196.196 0 0 1 .3.016l2.808 3.777.002.002 2.016 2.713.81 1.09a.19.19 0 0 0 .156.08h4.703a.197.197 0 0 0 .158-.31l-.171-.241a693.927 693.927 0 0 1-1.846-2.587c-.566-.79-1.194-1.673-1.888-2.652l-.07-.1v.002-.002a1569.226 1569.226 0 0 0-3.628-5.086.195.195 0 0 1 .017-.241l1.772-1.968h-.006l.006-.001v-.003l1.459-1.62 1.402-1.558 2.88-3.202a.194.194 0 0 0-.145-.324H59.1a.196.196 0 0 0-.146.063l-3.079 3.345-4.038 4.39a.194.194 0 0 1-.338-.132V10.17a.193.193 0 0 0-.195-.192h-2.11zm.091 9.823v.01h-.001zm12.27 8.34v.002h-.001z" fill="#b8b8b8"/><path d="M89.222 29.806c-.024-.025-.045-1.79-.045-3.92V22.01l-3.38-5.904c-1.996-3.487-3.364-5.945-3.342-6.003.032-.084.357-.098 2.278-.098 2.052 0 2.25.01 2.342.115.055.064.986 1.649 2.069 3.523 1.082 1.873 2.003 3.443 2.045 3.488.194.21.46-.181 2.48-3.662l2.01-3.465h2.275c1.894 0 2.28.016 2.31.094.02.05-1.477 2.737-3.326 5.969l-3.362 5.876-.066 7.872-2.121.018c-1.167.01-2.142-.003-2.167-.028z" fill="#a0a0a0"/><path d="M66.456 29.767c-.017-.045-.023-4.503-.014-9.905l.017-9.823h14.22v3.837l-4.855.017c-3.453.012-4.88.038-4.944.09-.13.109-.13 3.91 0 4.018.063.052 1.362.079 4.448.09l4.36.018v3.638l-4.36.017c-3.086.012-4.385.039-4.448.09-.07.06-.089.465-.089 1.98 0 1.047.018 1.95.04 2.009.036.094.538.104 4.999.104 3.29 0 5 .023 5.086.069.122.065.128.156.128 1.872 0 1.314-.022 1.825-.08 1.883-.118.118-14.463.115-14.508-.003z" fill="#acacac"/></svg>
\ No newline at end of file
diff --git a/src/_includes/tutorial_disclaimer.md b/src/_includes/tutorial_disclaimer.md
new file mode 100644
index 000000000..f800938ea
--- /dev/null
+++ b/src/_includes/tutorial_disclaimer.md
@@ -0,0 +1,64 @@
+<div id="tutorial_disclaimer" markdown="1">
+## Disclaimer
+
+This tutorial provides guidance based on approaches that are generally
+considered effective and aligned with common industry practices. However, it
+reflects a generalized perspective and may not be fully suitable for every
+environment or use case.
+
+While care has been taken to follow recognized best practices, the actual
+implementation will depend on your specific infrastructure, constraints, and
+requirements. **You remain solely responsible for evaluating, adapting, and
+applying the instructions appropriately in your context**.
+
+We strive to keep this content accurate and up to date. Nevertheless,
+technologies, dependencies, and security standards evolve over time, and we
+cannot guarantee that all information remains current or error-free.
+
+All commands, configuration snippets, and examples are provided for
+illustrative purposes only. They are not intended to be used verbatim in
+production without proper review, testing, and adaptation.\\
+**Final implementation decisions and their consequences are the responsibility
+of the user**.
+
+### Responsibilities
+
+This tutorial describes a self-managed deployment approach and does not
+constitute a managed or hosted service provided by Scalingo.
+
+Scalingo remains responsible for the buildpacks, the scripts, initial
+configuration, samples, and instructions presented in this tutorial.
+
+Operational responsibility, including, but not limited to deployment, final
+configurations, proper exploitation, maintenance, upgrades, monitoring,
+backup restoration tests and security, remains with the user.
+
+### Security Notice
+
+Proper security practices are essential when deploying software:
+- **Always use strong, unique passwords** for all services and accounts.
+- **Do not reuse credentials** across systems.
+- Prefer long passphrases (at least 16 characters) combining letters, numbers,
+  and symbols.
+- **Store credentials securely** (e.g., password managers, secret management
+  tools) and **never hardcode them in source code or configuration files**.
+
+Here is an example command to generate a strong password from the command line:
+```bash
+openssl rand -base64 24
+```
+
+Alternatively:
+```bash
+head -c 32 /dev/urandom | base64
+```
+
+### Feedback and Contributions
+
+If you identify an error, outdated information, or missing details,
+contributions are welcome. You may get in touch with our Support Team, [open an
+issue](https://github.com/Scalingo/documentation/issues), or [submit a pull
+request](https://github.com/Scalingo/documenation/pulls).
+
+Your feedback helps improve the quality and reliability of this documentation.
+</div>
diff --git a/src/_layouts/tutorials_page.html b/src/_layouts/tutorials_page.html
index d89acad98..a04641f22 100644
--- a/src/_layouts/tutorials_page.html
+++ b/src/_layouts/tutorials_page.html
@@ -28,6 +28,7 @@ <h1 class="text-sc-gray-1 text-sc-title-1 font-bold mb-12 hidden xl:block">
                 <div class="flex flex-col md:flex-row justify-between mt-4 text-sc-text-2">
                     <span itemprop="datePublished" content="{{ page.modified_at }}">
                         {% if page.modified_at %} Last update: {{ page.modified_at | date_to_string }} {% endif %}
+                        {% if page.last_reviewed_at %}&nbsp;&mdash;&nbsp;Last review: {{ page.last_reviewed_at | date_to_string }} {% endif %}
                     </span>
                     <a href="https://github.com/{{ site.github_username }}/documentation/edit/master/src/{{ page.path }}" class="flex items-center">
                         <svg style="width: 14px;height: 14px;" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="pen" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
diff --git a/src/_tutorials/keycloak/index.md b/src/_tutorials/keycloak/index.md
new file mode 100644
index 000000000..87d98f25e
--- /dev/null
+++ b/src/_tutorials/keycloak/index.md
@@ -0,0 +1,743 @@
+---
+title: Deploying Keycloak
+logo: keycloak
+category: security
+products:
+  - Scalingo for PostgreSQL
+  - Projects
+  - Private Networks
+permalink: /tutorials/keycloak
+modified_at: 2026-05-22
+last_reviewed_at: 2026-05-22
+---
+
+Keycloak is an open-source identity and access management solution designed to
+secure modern applications and services. It provides features such as single
+sign-on (SSO), user federation, and social login integration. It supports
+standard protocols like [OAuth 2.0], [OpenID Connect], and [SAML].  It also
+offers centralized user management, role-based access control, and fine-grained
+permissions. Overall, Keycloak helps organizations improve security while
+simplifying the work of developers with authentication and authorization.
+
+
+{% include tutorial_disclaimer.md %}
+
+
+## Planning your Deployment
+
+- Even if Keycloak provides quite precise [recommendations][kc-reco] in terms
+  of CPU, RAM and databases, sizing still mostly depends on the foreseen
+  usage and expected performances.
+
+- Keycloak requires a rough minimum of 1.5GB of RAM to run, and quite a lot of
+  CPU (Keycloak spends a lot of time hashing, opening TLS connections, etc.).
+  Consequently, we advise provisioning at least one XL container, and possibly
+  change for a more powerful plan later.
+
+- Keycloak requires its own database. Considering the key role Keycloak is
+  generally playing, we advise to always deploy with at least a [Business
+  service class][db-business-class], mainly to benefit from the higher SLA and
+  redundancy. In this tutorial, we deploy a [Scalingo for PostgreSQL® Business
+  1G][db-postgresql].
+
+- Keycloak is designed for multi-node clustered setups. In production mode, it
+  uses a distributed cache (implemented via Infinispan) to share some resources
+  between nodes. To be able to benefit from this cache, which is highly
+  recommended, we deploy multiple Keycloak containers in a
+  [Private Network][private-networking]:
+
+  - Infinispan uses several TCP ports to run. Running inside a Private Network
+    gives us the freedom to bind any port we want.
+
+  - Infinispan also features some auto-discovery mechanism to automatically
+    update the list of available nodes in the cluster. By relying on it, we can
+    ensure the cache is always well distributed between the available nodes.
+
+  - To do so, we have to make sure Keycloak listens on the [Private Network IP
+    addresses][private-networking-addressing] for everything related to the
+    Infinispan distributed cache.
+
+- For greater control and security, we suggest to deploy behind a reverse
+  proxy:
+
+  - It prevents Keycloak from being directly exposed to the Internet.
+  - It allows to set up features such as rate-limiting and IP allow/deny lists.
+  - It allows to scale the reverse proxy so that it can handle traffic peaks or
+    sudden load.
+
+- To do so, we deploy two applications, grouped in the same [Project][project]:
+  one hosting Keycloak and the second one hosting the reverse proxy.
+
+- Keycloak provides an [exhaustive list of configuration options][kc-config],
+  recommendations to [run in production][kc-production], and documentation
+  for [administrating][kc-admin] Keycloak.\\
+  We strongly suggest to read these pages before entering prodution.
+
+
+## Creating the Project
+
+### Using the Command Line
+
+1. From the command line, create a new [Project][project] to host the
+   applications:
+   ```bash
+   scalingo projects-add keycloak
+   ```
+
+2. Retrieve the project ID:
+   ```bash
+   scalingo projects
+   ```
+   The output should look like this:
+   ```bash
+    /!\  This command only displays projects where you are the owner
+   ┌──────────┬─────────┬──────────────────────────────────────────┬─────────────────┐
+   │   NAME   │ DEFAULT │                    ID                    │ PRIVATE NETWORK │
+   ├──────────┼─────────┼──────────────────────────────────────────┼─────────────────┤
+   │ keycloak │ false   │ prj-32232e93-8c8a-4898-8a68-d10ff1e63f7a │ true            │
+   ```
+
+3. Identify the project you just created and keep its ID aside.
+
+### Using the Terraform Provider
+
+1. Place the following `scalingo_project` resource block in your Terraform
+   file:
+   ```tf
+   resource "scalingo_project" "keycloak-prj" {
+     name    = "keycloak"
+     default = false
+   }
+   ```
+
+
+## Deploying Keycloak
+
+### Using the Command Line
+
+1. Fork our [Keycloak repository][keycloak-scalingo]
+
+2. Create a new application **in the project**:
+   ```bash
+   scalingo create my-keycloak --project-id <project_id>
+   ```
+   With `project_id` being the ID of the newly created project.
+
+3. Provision a Scalingo for PostgreSQL® Business 1G database:
+   ```bash
+   scalingo --app my-keycloak addons-add postgresql postgresql-business-1024
+   ```
+
+4. Let the platform know what buildpack it must use:
+   ```bash
+   scalingo --app my-keycloak env-set BUILDPACK_URL=https://github.com/Scalingo/keycloak-buildpack
+   ```
+
+5. Create a few **mandatory** environment variables:
+
+   - These make sure Keycloak runs properly on Scalingo:
+     ```bash
+     scalingo --app my-keycloak env-set KC_PROXY_HEADERS=xforwarded
+     scalingo --app my-keycloak env-set KC_HTTP_ENABLED=true
+     scalingo --app my-keycloak env-set KC_HTTP_PORT=80
+     scalingo --app my-keycloak env-set KC_HOSTNAME=<hostname>
+     ```
+     With `hostname` being the publicly exposed address at which Keycloak is
+     available\\
+     (e.g. `my-keycloak.osc-fr1.scalingo.io`).
+
+     Using port 80 is an example, you can choose any port number.
+
+   - This one restricts the cache communications to the Private Network only:
+     ```bash
+     scalingo --app my-keycloak env-set KC_CACHE_EMBEDDED_NETWORK_BIND_ADDRESS="match-address:10.240.\*"
+     ```
+
+   - These are used to create the initial credentials for the administrator
+     user (remember to use a **strong** password):
+     ```bash
+     scalingo --app my-keycloak env-set KC_BOOTSTRAP_ADMIN_USERNAME=<admin_username>
+     scalingo --app my-keycloak env-set KC_BOOTSTRAP_ADMIN_PASSWORD=<admin_password>
+     ```
+
+6. Create a few more **recommended** environment variables:
+
+   - This one pins the version of Keycloak. This prevents against unintentional
+     updates:
+     ```bash
+     scalingo --app my-keycloak env-set KEYCLOAK_VERSION="<version>"
+     ```
+     With `version` being the version number to deploy.
+
+   - This one restricts the communication with the reverse proxy to the Private
+     Network only:
+     ```bash
+     scalingo --app my-keycloak env-set KC_PROXY_TRUSTED_ADDRESSES="10.240.0.0/22"
+     ```
+
+   - This one allows to limit the number of queued requests, which is important
+     to protect the cluster against overload situations:
+     ```bash
+     scalingo --app my-keycloak env-set KC_HTTP_MAX_QUEUED_REQUESTS=<number>
+     ```
+     With `number` being the number of requests Keycloak can keep in queue
+     before dropping additional ones. Set this to a number matching your
+     environment.
+
+7. Add a [`Procfile`][procfile] to your git repository, with the following
+   content:
+   ```yml
+   kc: /app/keycloak/bin/kc.sh start --optimized
+   ```
+   This instructs the platform to start Keycloak in a [process type][procfile]
+   named `kc`, which, unlike `web`, can **not** be publicly exposed.
+
+8. (optional) Instruct the platform to run the `kc` process type in three XL
+   containers:
+   ```bash
+   scalingo --app my-keycloak scale kc:3:XL
+   ```
+
+9. Everything’s ready, deploy to Scalingo:
+   ```bash
+   git push scalingo master
+   ```
+
+From this point, you should have a working Keycloak cluster running in its own
+Private Network on Scalingo.
+
+### Using the Terraform Provider
+
+1. Fork our [Keycloak repository][keycloak-scalingo]
+
+2. Place the following `scalingo_app` resource block in your Terraform file:
+   ```tf
+   resource "scalingo_app" "my-keycloak" {
+     name           = "my-keycloak"
+     project_id     = scalingo_project.keycloak-prj.id
+     stack_id       = "scalingo-24"
+     force_https    = true
+
+     environment = {
+       BUILDPACK_URL    = "https://github.com/Scalingo/keycloak-buildpack",
+       KEYCLOAK_VERSION = "<version>",
+       KC_PROXY_HEADERS = "xforwarded",
+       KC_HTTP_ENABLED  = true,
+       KC_HTTP_PORT     = 80,
+       KC_HOSTNAME      = "<hostname>",
+       KC_CACHE_EMBEDDED_NETWORK_BIND_ADDRESS = "match-address:10.240.\*",
+       KC_PROXY_TRUSTED_ADDRESSES  = "10.240.0.0/24",
+       KC_HTTP_MAX_QUEUED_REQUESTS = <number>,
+       KC_BOOTSTRAP_ADMIN_USERNAME = "<admin_username>",
+       KC_BOOTSTRAP_ADMIN_PASSWORD = "<admin_password>"
+     }
+   }
+   ```
+
+3. Link the app to your forked repository:
+   ```tf
+   data "scalingo_scm_integration" "github" {
+     scm_type = "github"
+   }
+
+   resource "scalingo_scm_repo_link" "my-keycloak-repo" {
+     auth_integration_uuid = data.scalingo_scm_integration.github.id
+     app                   = scalingo_app.my-keycloak.id
+     source                = "https://github.com/<username>/keycloak-scalingo"
+     branch                = "master"
+   }
+   ```
+
+4. Place the following `scalingo_addon` resource block in your Terraform file
+   to provision a Scalingo for PostgreSQL® Business 1G database and attach it
+   to your app:
+   ```tf
+   resource "scalingo_addon" "my-keycloak-db" {
+     app         = scalingo_app.my-keycloak.id
+     provider_id = "postgresql"
+     plan        = "postgresql-business-1024"
+   }
+   ```
+
+5. Add a [`Procfile`][procfile] to your git repository, with the following
+   content:
+   ```yml
+   kc: /app/keycloak/bin/kc.sh start --optimized
+   ```
+   This instructs the platform to start Keycloak in a [process type][procfile]
+   named `kc`, which, unlike `web`, can **not** be publicly exposed.
+
+6. (optional) Instruct the platform to run the `kc` process type in three XL
+   containers:
+   ```tf
+   resource "scalingo_container_type" "kc" {
+     app    = scalingo_app.my-keycloak.id
+     name   = "kc"
+     size   = "XL"
+     amount = 3
+   }
+   ```
+
+7. Run `terraform plan` and check if the result looks good
+
+8. If so, run `terraform apply`
+
+9. Once Terraform is done, your Keycloak instance is ready to be deployed:
+   1. Head to your [dashboard]
+   2. Click on your Keycloak application
+   3. Click on the Deploy tab
+   4. Click on Manual deployment in the left menu
+   5. Click the Trigger deployment button
+   6. After a few seconds, your Keycloak cluster is finally up and running!
+
+
+## Deploying the Reverse Proxy
+
+Here is a very basic working example of nginx configuration that can be used as
+a starting point. It only proxies the strictly required endpoints, which has
+the advantage of drastically lowering the attack surface of Keycloak:
+
+{: #nginx-config}
+```erb
+upstream keycloak {
+  server <%= ENV["KEYCLOAK_PRIVATE_DOMAIN"] %>:80;
+  ip_hash;
+}
+
+server {
+  server_name localhost;
+  listen <%= ENV["PORT"] %>;
+  charset utf-8;
+
+  # Optional hardening:
+  proxy_hide_header X-Powered-By;
+
+  location ^~ /realms/ {
+    proxy_pass      http://keycloak/realms/;
+    proxy_redirect  default;
+  }
+
+  location ^~ /resources/ {
+    proxy_pass      http://keycloak/resources/;
+    proxy_redirect  default;
+  }
+
+  location ^~ /.well-known/ {
+    proxy_pass      http://keycloak/.well-known/;
+    proxy_redirect  default;
+  }
+}
+```
+
+### Using the Command Line
+
+1. Create a new application **in the same Project**:
+   ```bash
+   scalingo create my-nginx --project-id <project_id>
+   ```
+
+2. Follow [our documentation][deploy-nginx] to deploy nginx.
+
+3. Create an environment variable to store the `kc` process type's [private
+   domain name]:
+   ```bash
+   scalingo --app my-nginx env-set KEYCLOAK_PRIVATE_DOMAIN=kc.<private_network_fqdn>
+   ```
+   With `<private_network_fqdn>` being the [private domain name] of the
+   application hosting the Keycloak cluster.
+
+4. Create a `servers.conf.erb` file for nginx, using [the sample suggested
+   above](#nginx-config), **or your own**.
+
+5. Deploy:
+   ```bash
+   git push scalingo master
+   ```
+
+### Using the Terraform Provider
+
+1. Create a new git repository dedicated to nginx.
+
+2. In this repository, create a `servers.conf.erb` file for nginx, using [the
+   sample suggested above](#nginx-config), **or your own**.
+
+3. Place the following `scalingo_private_network_domain` data block in your
+   Terraform file:
+   ```tf
+   data "scalingo_private_network_domain" "pndn" {
+     app = scalingo_app.my-nginx.name
+   }
+   ```
+
+4. Place the following `scalingo_app` resource block in your Terraform file:
+   ```tf
+   resource "scalingo_app" "my-nginx" {
+     name           = "my-nginx"
+     project_id     = scalingo_project.keycloak-prj.id
+     stack_id       = "scalingo-24"
+
+     environment = {
+       KEYCLOAK_PRIVATE_DOMAIN = "kc.${substr(data.scalingo_private_network_domain.pndn.domains[0], 0, -1)}"
+     }
+   }
+   ```
+
+5. Link the app to your repository:
+   ```tf
+   resource "scalingo_scm_repo_link" "my-nginx-repo" {
+     auth_integration_uuid = data.scalingo_scm_integration.github.id
+     app                   = scalingo_app.my-nginx.id
+     source                = "https://github.com/<username>/my-nginx"
+     branch                = "master"
+   }
+   ```
+
+6. (optional) Instruct the platform to run the `web` process type in a single L
+   container:
+   ```tf
+   resource "scalingo_container_type" "web" {
+     app    = scalingo_app.my-nginx.id
+     name   = "web"
+     size   = "L"
+     amount = 1
+   }
+   ```
+
+7. Run `terraform plan` and check if the result looks good
+
+8. If so, run `terraform apply`
+
+9. Once Terraform is done, your nginx instance is ready to be deployed:
+   1. Head to your [dashboard]
+   2. Click on your nginx application
+   3. Click on the Deploy tab
+   4. Click on Manual deployment in the left menu
+   5. Click the Trigger deployment button
+   6. After a few seconds, your nginx reverse proxy instance is finally up and
+      running, making your Keycloak cluster reachable!
+
+
+## Exposing the Admin
+
+Keycloak's `/admin` endpoint provides access to the administration console and
+management APIs used to configure and operate a Keycloak cluster. Through this
+endpoint, administrators can manage realms, users, groups, roles, identity
+providers, clients, and authentication flows.
+
+{% warning %}
+Because it exposes highly privileged operations, the `/admin` interface should
+be carefully secured using strong authentication, network restrictions, HTTPS,
+and proper role-based access controls. **In production environments, limiting
+or disabling external exposure of the admin endpoint is considered a security
+best practice.**
+{% endwarning %}
+
+### Using the Command Line or the Terraform Provider
+
+1. Add a `limit_req_zone` directive to set up rate limiting at the top of the
+   `servers.conf.erb` file:
+   ```erb
+   # Rate limiting for /admin:
+   limit_req_zone $binary_remote_addr zone=keycloak_admin:10m rate=5r/m;
+   ```
+
+2. Add two new `location` in the `servers.conf.erb` file:
+   ```erb
+   location = /admin {
+     return 301 /admin/;
+   }
+
+   location ^~ /admin/ {
+     # IP allow list:
+     allow 192.0.2.10;
+     allow 198.51.100.0/24;
+     deny all;
+
+     # Rate limiting:
+     limit_req zone=keycloak_admin burst=10 nodelay;
+
+     proxy_pass       http://keycloak/admin/;
+     proxy_redirect   default;
+   }
+   ```
+
+2. Trigger a new deployment
+
+
+## Exposing Health and Metrics
+
+Keycloak allows to track instances status, health, and performances, thanks to
+[several health checks][kc-health] and [metrics][kc-metrics] endpoints.
+
+**When enabled**, these endpoints are exposed on the management port, which
+defaults to TCP `9000`. **By default, they are not available**, and they must
+be explicitely enabled.
+
+{% warning %}
+When enabled, and because they expose sensitive data and information, the
+`/health` and `/metrics` endpoints should be carefully secured using strong
+authentication, network restrictions, HTTPS, and proper role-based access
+controls. **In production environments, limiting or disabling external exposure
+of these endpoints is considered a security best practice.**
+{% endwarning %}
+
+{: #health-metrics-first-steps}
+1. Add a new `upstream` dedicated to management in the `servers.conf.erb` file:
+   ```erb
+   upstream mgmt {
+     server <%= ENV["KEYCLOAK_PRIVATE_DOMAIN"] %>:<%= ENV["KC_HTTP_MANAGEMENT_PORT"] or 9000 %>;
+   }
+   ```
+
+2. Add two new `limit_req_zone` directives for health and metrics:
+   ```erb
+   limit_req_zone $binary_remote_addr zone=keycloak_health:10m  rate=60r/m;
+   limit_req_zone $binary_remote_addr zone=keycloak_metrics:10m rate=30r/m;
+   ```
+
+3. Add two new `location` in the `servers.conf.erb` file:
+   ```erb
+   <% if ENV["KC_HEALTH_ENABLED"] %>
+   location ^~ /health/ {
+     # IP allow list:
+     allow 192.0.2.20;
+     allow 198.51.100.0/24;
+     deny all;
+
+     limit_req zone=keycloak_health burst=20 nodelay;
+
+     proxy_pass       http://mgmt/health/;
+     proxy_redirect   default;
+   }
+   <% end %>
+
+   <% if ENV["KC_METRICS_ENABLED"] %>
+   location = /metrics {
+     # IP allow list:
+     allow 192.0.2.20;
+     allow 198.51.100.0/24;
+     deny all;
+
+     # Rate limiting:
+     limit_req zone=keycloak_metrics burst=10 nodelay;
+
+     proxy_pass       http://mgmt/metrics;
+     proxy_redirect   default;
+   }
+   ```
+
+### Using the Command Line
+
+Make sure you have followed [the first steps](#health-metrics-first-steps)
+
+{:start="4"}
+4. Enable the health and/or metrics endpoints:
+   ```bash
+   scalingo --app my-keycloak env-set KC_HEALTH_ENABLED=true
+   scalingo --app my-keycloak env-set KC_METRICS_ENABLED=true
+   ```
+
+5. (optional) Choose a port for the management interface:
+   ```bash
+   scalingo --app my-keycloak env-set KC_HTTP_MANAGEMENT_PORT=9000
+   ```
+
+6. Trigger a new deployment
+
+### Using the Terraform Provider
+
+Make sure you have followed [the first steps](#health-metrics-first-steps)
+
+{:start="4"}
+4. Update the `scalingo_app` resource block of the Keycloak app to include the
+   appropriate environment variables:
+   ```tf
+   resource "scalingo_app" "my-keycloak" {
+     name           = "my-keycloak"
+     project_id     = scalingo_project.keycloak_project.id
+     stack_id       = "scalingo-24"
+
+     environment = {
+       # [...]
+       KC_HEALTH_ENABLED  = true,
+       KC_METRICS_ENABLED = true,
+       # Optional:
+       KC_HTTP_MANAGEMENT_PORT = 9000
+     }
+   }
+   ```
+
+5. Trigger a new deployment
+
+
+## Managing Logs
+
+By default, Keycloak runs with the `INFO` log level. This provides general
+operational information such as Keycloak lifecycle events, authentication
+flows, and warnings, without being overly verbose.
+
+Logging can be configured either globally or per component. The log level can
+be changed using environment variables. For example, to set the general log
+level to `DEBUG`, set `KC_LOG_LEVEL` to `DEBUG`.
+
+It is also possible to enable logging for specific components only, allowing
+for troubleshooting specific issues without flooding the logs. To do so, use an
+environment variable named after the component. For example, to specify a
+different log level for the component `org.hibernate`, you could set
+`KC_LOG_LEVEL_ORG_HIBERNATE` to `DEBUG`.
+
+Logs are written to standard output by default, making them fully compatible
+with every logging features Scalingo provides.
+
+For further guidance related to Keycloak logging, please refer to [the official
+documentation][kc-logging].
+
+
+## Managing Vulnerabilities
+
+Keycloak official vulnerabilities and security issues are documented
+[here][kc-vuln] by the editor.
+
+
+## Updating
+
+While updating Keycloak is generally safe, we still advise to take extra care,
+especially before updating a production instance:
+
+- Review the [official changelog][kc-changelog] that is published with each
+  release. Breaking and notable changes should catch your attention.
+- Ensure your [SPIs](#service-provider-interfaces) and themes are compatible
+  with the new version.
+- Keep a recent backup of your production database aside. The update process
+  sometimes involves database updates, which can unfortunately fail. Having a
+  backup allows to rollback to a working version in case of failures.
+- Test the exact update path on a testing instance.
+
+### Using the Command Line
+
+1. Update the version to the desired number:
+   ```bash
+   scalingo --app my-keycloak env-set KEYCLOAK_VERSION=<new_version>
+   ```
+
+2. In your Keycloak repository, create a new empty commit:
+   ```bash
+   git commit -m "Deploy version <new_version>" --allow-empty
+   ```
+
+3. Trigger a new deployment
+
+### Using the Terraform Provider
+
+1. Update the `scalingo_app` resource block of the Keycloak app to include the
+   `KEYCLOAK_VERSION` environment variables:
+   ```tf
+   resource "scalingo_app" "my-keycloak" {
+     name           = "my-keycloak"
+     project_id     = scalingo_project.keycloak_project.id
+     stack_id       = "scalingo-24"
+
+     environment = {
+       # [...]
+       KEYCLOAK_VERSION = "<new_version>"
+     }
+   }
+   ```
+
+2. Trigger a new deployment
+
+
+## Customizing
+
+### Service Provider Interfaces
+
+Keycloak is designed to be extensible. It provides multiple Service Provider
+Interfaces (SPIs), each responsible for providing a specific capability to the
+server.
+
+To add SPIs to your Keycloak cluster:
+
+1. Create a directory named `providers` at the root of your project
+2. Put the `.jar` files in this directory (don't forget to also add them to
+   your git repository):
+   ```
+   my-keycloak
+   ├── Procfile
+   ├── providers
+   │   └── spi.jar
+   └── system.properties
+   ```
+3. Configure each SPI using the available environment variables (please refer
+   to the SPI documentation for available variables)
+4. Trigger a new deployment
+
+### Themes
+
+Keycloak also supports custom themes, which allow to personalize the look and
+feel of end-user facing pages. This allows to further integrate Keycloak with
+your applications or company.
+
+To add themes to your Keycloak cluster:
+
+1. Create a directory named `providers` at the root of your project
+2. Put the `.jar` files in this directory (don't forget to also add them to
+   your git repository):
+   ```
+   my-keycloak
+   ├── Procfile
+   ├── providers
+   │   └── theme.jar
+   └── system.properties
+   ```
+3. Configure each theme using the available environment variables (please refer
+   to the theme documentation for available variables)
+4. Trigger a new deployment
+
+### Environment
+
+Keycloak supports [many environment variables][kc-config].
+
+Moreover, the buildpack makes use of the following environment variables. They
+can be leveraged to customize your deployment:
+
+- `KEYCLOAK_VERSION`\\
+  Allows to specify the version of Keycloak to deploy.\\
+  Defaults to not being set, which falls back on the [default
+  version][keycloak-default-version] set in the buildpack.
+
+- `KEYCLOAK_PRIVATE_DOMAIN_NAME`\\
+  Private domain name of the Keycloak process type. Allows the reverse proxy to
+  know where the requests must be forwarded.\\
+  Default to not being set.
+
+
+*[SSO]: Single Sign-On
+*[SLA]: Service Level Agreement
+*[SPI]: Service Provider Interface
+
+[OAuth 2.0]: https://oauth.net/2/
+[OpenID Connect]: https://openid.net
+[SAML]: https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
+[kc-reco]: https://www.keycloak.org/high-availability/single-cluster/concepts-memory-and-cpu-sizing
+[kc-config]: https://www.keycloak.org/server/all-config?f=config
+[kc-admin]: https://www.keycloak.org/docs/latest/server_admin/index.html
+[kc-production]: https://www.keycloak.org/server/configuration-production
+[kc-health]: https://www.keycloak.org/observability/health
+[kc-metrics]: https://www.keycloak.org/observability/configuration-metrics
+[kc-logging]: https://www.keycloak.org/server/logging
+[kc-vuln]: https://github.com/keycloak/keycloak/security
+[kc-changelog]: https://www.keycloak.org/docs/latest/release_notes/index.html
+
+[keycloak-scalingo]: https://github.com/Scalingo/keycloak-scalingo
+[keycloak-default-version]: https://github.com/Scalingo/keycloak-buildpack/blob/master/VERSIONS#L3
+
+[dashboard]: https://dashboard.scalingo.com/
+
+[db-business-class]: {% post_url databases/about/2000-01-01-service-classes %}#business
+[db-postgresql]: {% post_url databases/postgresql/about/2000-01-01-overview %}
+[private-networking]: {% post_url platform/networking/private/2000-01-01-overview %}
+[private domain name]: {% post_url platform/networking.private/2000-01-01-concepts %}#private-domain-names
+[private-networking-addressing]: {% post_url platform/networking/private/2000-01-01-concepts %}#addressing
+[deploy-nginx]: {% post_url platform/deployment/buildpacks/2000-01-01-nginx %}
+[procfile]: {% post_url platform/app/2000-01-01-procfile %}
+[project]: {% post_url platform/projects/2000-01-01-overview %}