We are going to use KeyCloak in one of our enterprise solutions. I would like to understand if KeyCloak is fully FIPS 140-2 compliant since we have compliance needs. There is very limited amount of information that I could find regarding this online. For example:-
http://lists.jboss.org/pipermail/keycloak-user/2015-October/003177.html
This is a pretty old link, so might not be updated with latest details.
If this is a wrong place to ask this question, kindly suggest the right one, if any. Thanks in advance!
After researching, It does appear that in the past year there is a FIPS validated cryptographic module that can be used in KeyCloak (called bouncy castle).
One of the issues is that there is no FIPS 140-2 compliant MFA option for Keycloak. It only supports Google authenticator and Free OTP apps).