Basic Integration with Login.gov

There is a compatibility issues (as of June 2020) between Keycloak and Login.gov. The "use" parameter of the JWKS response from Login.gov is not set, but Keycloak expects a value of "sig" to be set. To resolve this issue, build and install this Login.gov SPI. In addition to fixing the JWKS issue, it also provides a drop-down to select the IAL level of your integration.

Allow IAL1 and IAL3 logins

A single login.gov application cannot be set up to handle both IAL1 and IAL3 logins. The solution is to set up two separate Login.gov applications and then configure these are separate IdPs in Keycloak. Use Keycloak Mappers to handle the difference response claims as needed.