> - You can force 2FA, again for every service the company is using that supports SSO.
This can also be a way to balance security and user convenience, which should not be underestimated.
If a user has to do the MFA dance (Duo Pushes, TOTP tokens, ...) once a day for a dozen different services, users will rightfully riot and start looking for workarounds of questionable security. On the other hand, you could have one MFA dance in the morning to get your keycloak session, it is kept alive by normal usage and then it doesn't bother you anymore for the day. Much lower friction.
Another thing is auditing and analysis. With central logins, you need one service with good audit logging, and you need to understand and alert on one log if a user suddenly tries to login from another continent, hundreds of times a minute. Some of these services have this built-in.
This can also be a way to balance security and user convenience, which should not be underestimated.
If a user has to do the MFA dance (Duo Pushes, TOTP tokens, ...) once a day for a dozen different services, users will rightfully riot and start looking for workarounds of questionable security. On the other hand, you could have one MFA dance in the morning to get your keycloak session, it is kept alive by normal usage and then it doesn't bother you anymore for the day. Much lower friction.
Another thing is auditing and analysis. With central logins, you need one service with good audit logging, and you need to understand and alert on one log if a user suddenly tries to login from another continent, hundreds of times a minute. Some of these services have this built-in.