diff --git a/.env.sample b/.env.sample
index 83fc2b4..98620c7 100644
--- a/.env.sample
+++ b/.env.sample
@@ -14,3 +14,10 @@ COMPOSE_FILE="compose.yml:compose.mssql.yml"
 # OIDC_CLIENT_ID=
 # OIDC_ISSUER_URL=
 # SECRET_OIDC_CLIENT_SECRET=v1
+
+# Keycloak integration
+# COMPOSE_FILE="compose.yml:compose.keycloak.yml"
+# KEYCLOAK_ENABLED=1
+# KEYCLOAK_CLIENT_ID=
+# KEYCLOAK_CLIENT_TOKEN_URL=
+# SECRET_KEYCLOAK_CLIENT_SECRET=v1
diff --git a/abra.sh b/abra.sh
index 49bb492..f1d97e4 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,2 +1,4 @@
-export CUSTOM_ENTRYPOINT_VERSION=v1
+export CUSTOM_ENTRYPOINT_VERSION=v2
 export OIDC_CONF_VERSION=v1
+export PAM_EXEC_OAUTH2_YAML_VERSION=v1
+export PAM_SCRIPT_AUTH_VERSION=v1
diff --git a/compose.keycloak.yml b/compose.keycloak.yml
new file mode 100644
index 0000000..94d4e7c
--- /dev/null
+++ b/compose.keycloak.yml
@@ -0,0 +1,36 @@
+---
+version: "3.8"
+
+# WARNING: Requires your own Keycloak and is a work-around for the server pro
+#          restrictions for SSO integration. This is experimental. Please speak
+#          to washnote.com folks if you need support, it is being used there.
+
+services:
+  app:
+    configs:
+      - source: pam_exec_oauth2_yaml
+        target: /opt/pam-exec-oauth2/pam-exec-oauth2.yaml
+        mode: 0600
+      - source: pam_script_auth_sh
+        target: /usr/share/libpam-script/pam_script_auth
+        mode: 0555
+    environment:
+      - KEYCLOAK_ENABLED
+      - KEYCLOAK_CLIENT_ID
+      - KEYCLOAK_TOKEN_URL
+    secrets:
+      - keycloak_client_secret
+
+configs:
+  pam_exec_oauth2_yaml:
+    name: ${STACK_NAME}_pam_exec_oauth2_yaml_${PAM_EXEC_OAUTH2_YAML_VERSION}
+    file: pam-exec-oauth2.yaml.tmpl
+    template_driver: golang
+  pam_script_auth_sh:
+    name: ${STACK_NAME}_pam_script_auth_sh_${PAM_SCRIPT_AUTH_VERSION}
+    file: pam_script_auth.sh
+
+secrets:
+  keycloak_client_secret:
+    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}
+    external: true
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index ac29a1a..68c3d87 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -29,4 +29,13 @@ echo 'auth-openid-issuer={{ env "OIDC_ISSUER_URL"}}' >> /etc/rstudio/rserver.con
 echo 'auth-openid-base-uri=https://{{ env "DOMAIN" }}' >> /etc/rstudio/rserver.conf
 {{ end }}
 
+{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+apt install -y libpam-script
+echo 'auth sufficient pam_exec.so expose_authtok /opt/pam-exec-oauth2/pam-exec-oauth2' >> /etc/pam.d/common-auth
+echo 'auth optional pam_script.so' >> /etc/pam.d/common-auth
+mkdir -p /opt/pam-exec-oauth2/
+wget https://github.com/WASHNote/pam-exec-oauth2/releases/download/v0.0.1/pam-exec-oauth2 -O /opt/pam-exec-oauth2/pam-exec-oauth2
+chmod +x /opt/pam-exec-oauth2/pam-exec-oauth2
+{{ end }}
+
 exec "$@"
diff --git a/pam-exec-oauth2.yaml.tmpl b/pam-exec-oauth2.yaml.tmpl
new file mode 100644
index 0000000..464b67b
--- /dev/null
+++ b/pam-exec-oauth2.yaml.tmpl
@@ -0,0 +1,8 @@
+{
+   client-id: "{{ env "KEYCLOAK_CLIENT_ID" }}",
+   client-secret: "{{ secret "keycloak_client_secret" }}",
+   scopes: ["profile"],
+   endpoint-token-url: "{{ env "KEYCLOAK_TOKEN_URL" }}",
+   extra-parameters: {
+   },
+}
diff --git a/pam_script_auth.sh b/pam_script_auth.sh
new file mode 100755
index 0000000..e62a1e8
--- /dev/null
+++ b/pam_script_auth.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+if ! id "$PAM_USER" &>/dev/null; then
+	adduser $PAM_USER --disabled-password --quiet --gecos ""
+fi