Secure, TCKN-Based Login for Public Sector Applications

Enable citizens and government employees to log in using their e-Devlet credentials through Keycloak. This extension supports OIDC-compliant federation and native TCKN identity propagation—secure, standards-based, and fully auditable.

Seamless Public Sector Login via TCKN and e-Devlet Gateway

Why It Matters

Most public institutions in Turkey rely on e-Devlet Kapısı (turkiye.gov.tr) as the central authentication point. Integrating it into your IAM architecture ensures:

Seamless citizen onboarding
No password storage or management burden
Legal and regulatory compliance
National ID (TCKN) availability for authorization scopes

With Keymate's e-Devlet Identity Provider extension, you get a secure, production-ready, and reusable login flow—without custom scripts or hacks.

Federated Identity with Native TCKN Handling

Keycloak users are automatically created (or matched) using the sub and TCKN attributes from the e-Devlet token:

e-Devlet Federation Flow

Supports citizen login and public employee login equally.

Example: Securely federate e-Devlet identities into Keycloak.

Key Components:

Integrates with OIDC-compliant e-Devlet gateway

Extracts and stores verified TCKN in user attributes

Creates local user profile with no password (IdP only)

Enriches session notes with identity provider metadata

Enables downstream token enrichment and authorization with TCKN

Extension Highlights — What Makes It Unique

OIDC-Compliant

Uses standard OpenID Connect flows with the e-Devlet IdP

Verified TCKN Injection

Securely extracts and stores the Turkish ID number (TCKN)

Passwordless Federation

Local users are created without passwords, mapped to IdP

Auto User Linking

If the user exists by TCKN or email, account is linked automatically

Session Notes Enrichment

TCKN and IdP metadata added to Keycloak session context

Authorization Ready

TCKN can be used in policy DSL, token scopes, or OpenFGA checks

Audit & Compliance

All login events are logged with source IdP info and IP

Frequently Asked Questions

No. Users authenticated via e-Devlet are created as IdP-only accounts in Keycloak.

Yes. The TCKN is stored as a user attribute and also added to session notes and tokens if configured.

If matched by TCKN or email, the existing user is linked to the incoming IdP identity.

Yes. The extension uses OIDC flows and works with the official identity gateway used in public sector integrations.

How to Use This Extension

Follow these steps to enable the e-Devlet Identity Provider.

Implementation Steps

Configure the e-Devlet IdP as a standard OIDC identity provider in Keycloak

Install Keymate's e-Devlet extension via JAR or Helm-based deployment

Enable auto-linking and TCKN mapping in the extension settings

Monitor login events and session enrichment via Keymate Admin Console

Use the TCKN field in DSL policies, OpenFGA scopes, or token payloads

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.