Keycloak adds the support of SAML2 without changing the current product support of OAuth2. The SAML2 capability is provided by the WFC Authentication Connection Service (WFC-ACS), which brokers access authorization between the SAML Identity Management infrastructure and the OAuth2 authorization capabilities of Workforce Connect.