diff --git a/compose/.gitignore b/compose/.gitignore
new file mode 100644
index 0000000..cdb441f
--- /dev/null
+++ b/compose/.gitignore
@@ -0,0 +1,10 @@
+data/
+nginx/log/
+nginx/ssl/*.key
+nginx/ssl/*.pem
+nginx/ssl/*.crt
+keycloak/nginx/log/*.log
+keycloak/nginx/ssl/*.key
+keycloak/nginx/ssl/*.pem
+keycloak/nginx/ssl/*.crt
+.env
\ No newline at end of file
diff --git a/compose/cthq.properties b/compose/cthq.properties
index 8b8c254..2509990 100644
--- a/compose/cthq.properties
+++ b/compose/cthq.properties
@@ -6,7 +6,7 @@ hq.collab.secret=${INTEL_SECRET}
 # Fill in values specific to your deployment
 
 # If you want to run with multiple SSO providers, add their names separated with commas
-hq.sso.tenants=github
+# hq.sso.tenants=github
 
 # GitHub SSO
 hq.sso.github.provider=github
@@ -20,6 +20,13 @@ hq.sso.github.info.uri=https://api.github.com/user
 hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks
 hq.sso.github.logout.uri=https://github.com/logout
 
+# hq.sso.provider=keycloak
+# hq.sso.client.id=YOUR_CLIENT_ID
+# hq.sso.client.secret=YOUR_CLIENT_SECRET
+# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether
+# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights
+# hq.sso.client.authentication.method=client_secret_post
+
 # These values do not need to be changed, though secrets can be updated
 hq.db.type=CASSANDRA
 hq.cassandra.db.host=codetogether-cassandra
diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template
new file mode 100644
index 0000000..5127bae
--- /dev/null
+++ b/compose/keycloak/.env-template
@@ -0,0 +1,9 @@
+KEYCLOAK_FQDN=keycloak.example.com
+SSL_KEYCLOAK_CERT=ssl-keycloak.crt
+SSL_KEYCLOAK_KEY=ssl-keycloak.key
+
+KEYCLOAK_DB_USERNAME=keycloak
+KEYCLOAK_DB_PASSWORD=keycloak
+
+KEYCLOAK_ADMIN_PASSWORD=keycloak
+KEYCLOAK_ADMIN=admin
\ No newline at end of file
diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose.keycloak.yaml
new file mode 100644
index 0000000..f842905
--- /dev/null
+++ b/compose/keycloak/compose.keycloak.yaml
@@ -0,0 +1,95 @@
+# 👇 Rename `.env-template` to `.env` before running this file
+# Set the appropriate values once renamed
+services:
+  # Relational database for Keycloak (optional)
+  codetogether-mysql:
+    image: mysql:8.0
+    container_name: codetogether-mysql
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      MYSQL_DATABASE: keycloak
+      MYSQL_USER: ${KEYCLOAK_DB_USERNAME}
+      MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+    volumes:
+      - mysql_data:/var/lib/mysql
+    networks:
+      - codetogethernet
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+  # Nginx reverse proxy for Keycloak (optional)
+  codetogether-keycloak-nginx:
+    image: nginx:latest
+    container_name: codetogether-keycloak-nginx
+    env_file:
+      - .env
+    environment:
+      - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
+    ports:
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro
+      - ./nginx/ssl:/etc/nginx/ssl
+      - ./nginx/log:/var/log/nginx
+    networks:
+      - codetogethernet
+    depends_on:
+       codetogether-keycloak:
+        condition: service_healthy
+
+  # Keycloak service (optional)
+  codetogether-keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    container_name: codetogether-keycloak
+    env_file:
+      - .env
+    depends_on:
+      codetogether-mysql:
+        condition: service_healthy
+    command:
+      - "start"
+    environment:
+      # Admin credentials
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+
+      # Database connectivity
+      KC_DB: mysql
+      KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root}
+      KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      KC_DB_URL_HOST: codetogether-mysql
+
+      # Feature flags & observability
+      KC_FEATURES: token-exchange
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+
+      # Reverse‑proxy / HTTP
+      KC_HTTP_ENABLED: "true"
+      KC_PROXY: edge
+      KC_PROXY_HEADERS: xforwarded
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HOSTNAME: ${KEYCLOAK_FQDN}
+      KC_FRONTEND_URL: https://${KEYCLOAK_FQDN}
+      KC_HTTP_PORT: 8080
+    networks:
+      - codetogethernet
+    healthcheck:
+      test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
+volumes:
+  mysql_data:
+
+networks:
+  codetogethernet:
+    driver: bridge
\ No newline at end of file
diff --git a/compose/keycloak/nginx/log/placeholder.txt b/compose/keycloak/nginx/log/placeholder.txt
new file mode 100644
index 0000000..e69de29
diff --git a/compose/keycloak/nginx/nginx.conf.template b/compose/keycloak/nginx/nginx.conf.template
new file mode 100644
index 0000000..e48b298
--- /dev/null
+++ b/compose/keycloak/nginx/nginx.conf.template
@@ -0,0 +1,57 @@
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+    server {
+        server_name          ${KEYCLOAK_FQDN};
+        listen               443 ssl http2;
+
+        # configure proxy buffer sizes
+        proxy_buffer_size    128k;
+        proxy_buffers        4 256k;
+
+        # setup the SSL certificate
+        ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY};
+        # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM};
+        ssl_prefer_server_ciphers on;
+        ssl_protocols        TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+        # create the passthrough to the CodeTogether Intel container
+        location / {
+
+            # set passthru parameters for the CodeTogether Intel container
+            set $realIP      $remote_addr;
+            set $forwardTo   $proxy_add_x_forwarded_for;
+            set $reqHost     $http_host;
+            client_max_body_size 32M;
+            if ($http_x_real_ip != '') {
+                set $realIP  $http_x_real_ip;
+            }
+            if ($http_x_forwarded_for != '') {
+                set $forwardTo $http_x_forwarded_for;
+            }
+            proxy_set_header X-Real-IP $realIP;
+            proxy_set_header X-Forwarded-For $forwardTo;
+            proxy_set_header Host $reqHost;
+            proxy_set_header X-Forwarded-Proto https;
+
+            # setup the backend to service the HQ requests
+            proxy_pass            http://codetogether-keycloak:8080;
+            proxy_set_header      X-NginX-Proxy true;
+            proxy_http_version    1.1;
+            proxy_redirect        off;
+            proxy_set_header      Upgrade $http_upgrade;
+            proxy_set_header      Connection "upgrade";
+            proxy_read_timeout    360;
+            proxy_connect_timeout 360;
+            proxy_send_timeout    360;
+        }
+    }
+}
\ No newline at end of file
diff --git a/compose/keycloak/nginx/ssl/placeholder.txt b/compose/keycloak/nginx/ssl/placeholder.txt
new file mode 100644
index 0000000..e69de29