diff --git a/README.md b/README.md
index e8ad7bb8..5fa1273c 100644
--- a/README.md
+++ b/README.md
@@ -62,4 +62,5 @@ Version: 2.7.3 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigblue
 ## Further How-To's
 - [Running behind NAT](docs/behind-nat.md)
 - [Integration into an existing web server](docs/existing-web-server.md)
+- [Integration of addition authentication providers](docs/additional-authentication-providers.md)
 
diff --git a/docker-compose.tmpl.yml b/docker-compose.tmpl.yml
index aef1b682..8c3ad384 100644
--- a/docker-compose.tmpl.yml
+++ b/docker-compose.tmpl.yml
@@ -173,6 +173,7 @@ services:
       - "webrtc-sfu:10.7.7.1"
       - "html5:10.7.7.11"
       - "greenlight:10.7.7.21"
+      - "keycloak:10.7.7.23"
 
   etherpad:
     build: 
@@ -505,6 +506,32 @@ services:
     networks:
       bbb-net:
         ipv4_address: 10.7.7.22
+
+  {{ if isTrue .Env.ENABLE_KEYCLOAK }}
+  # keycloak Authentification provider
+  keycloak:
+    command: start
+    image: quay.io/keycloak/keycloak:23.0
+    restart: unless-stopped
+    environment:
+      - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN:-admin}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-password}
+      - KC_DB=postgres
+      - KC_DB_URL_HOST=postgres
+      - KC_DB_USERNAME=postgres
+      - KC_DB_URL_DATABASE=keycloakdb
+      - KC_DB_PASSWORD=${POSTGRESQL_SECRET:-password}
+      - KC_HOSTNAME_STRICT=${KEYCLOAK_HOSTNAME_STRICT:-false}
+      - KC_HTTP_RELATIVE_PATH=/keycloak
+      - KC_PROXY=edge
+    logging:
+      driver: journald
+    depends_on:
+      - postgres
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.23
+  {{end}}
 {{end}}
 
 {{ if isTrue .Env.ENABLE_PROMETHEUS_EXPORTER }}
diff --git a/docs/additional-authentication-providers.md b/docs/additional-authentication-providers.md
new file mode 100644
index 00000000..103927ba
--- /dev/null
+++ b/docs/additional-authentication-providers.md
@@ -0,0 +1,11 @@
+# Note if you want to use a additional authentication provider
+If you want to authenticate against an external authentication you have to enable keycloak.
+On new installations you can enable it within the setup script.
+If you already use BigBlueButton uncomment the and set the values to the following environment variables:
+ - ENABLE_KEYCLOAK to true
+ - KEYCLOAK_ADMIN to the wanted username of the keycloak administration account (default: admin)
+ - KEYCLOAK_ADMIN_PASSWORD to a safe passwort (the setup script creates one)
+
+## Further Information
+[Keycloak Configuration Instructions](https://docs.bigbluebutton.org/greenlight/v3/external-authentication/)
+
diff --git a/mod/nginx/bbb/keycloak.nginx b/mod/nginx/bbb/keycloak.nginx
new file mode 100644
index 00000000..6e00b98f
--- /dev/null
+++ b/mod/nginx/bbb/keycloak.nginx
@@ -0,0 +1,21 @@
+### Keycloak:
+
+location /keycloak {
+    proxy_pass         http://keycloak:8080;
+    proxy_set_header   Host $host;
+    proxy_set_header   X-Forwarded-Host  $http_host;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   X-Forwarded-Ssl   on;
+    proxy_set_header   Upgrade           $http_upgrade;
+    proxy_set_header   Connection        "Upgrade";
+    proxy_http_version 1.1;
+
+    proxy_headers_hash_max_size    512;
+    proxy_headers_hash_bucket_size 128;
+
+    proxy_buffer_size 128k;
+    proxy_buffers     4 256k;
+    proxy_busy_buffers_size 256k;
+
+}
\ No newline at end of file
diff --git a/sample.env b/sample.env
index 49133085..1245ba6a 100644
--- a/sample.env
+++ b/sample.env
@@ -197,6 +197,13 @@ NUMBER_OF_FRONTEND_NODEJS_PROCESSES=2
 #S3_BUCKET=
 #S3_ENDPOINT=
 
+# To enable Keycloak as Authentification Provider (for example for Microsoft/Office 365)
+#
+#ENABLE_KEYCLOAK=false
+#KEYCLOAK_ADMIN=
+#KEYCLOAK_ADMIN_PASSWORD=
+#KEYCLOAK_HOSTNAME_STRICT=
+
 # Define the default locale language code (i.e. 'en' for English) from the fallowing list:
 #  [en, ar, fr, es]
 #DEFAULT_LOCALE=en
diff --git a/scripts/generate-compose b/scripts/generate-compose
index 6348c9c7..c2afe261 100755
--- a/scripts/generate-compose
+++ b/scripts/generate-compose
@@ -58,6 +58,7 @@ docker run  \
     -e ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS:-false} \
     -e ENABLE_COTURN=${ENABLE_COTURN:-false} \
     -e ENABLE_GREENLIGHT=${ENABLE_GREENLIGHT:-false} \
+    -e ENABLE_KEYCLOAK=${ENABLE_KEYCLOAK:-false} \
     -e ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false} \
     -e ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION=${ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION:-false} \
     -e NUMBER_OF_BACKEND_NODEJS_PROCESSES=${NUMBER_OF_BACKEND_NODEJS_PROCESSES:-1} \
diff --git a/scripts/setup b/scripts/setup
index 1667c0d7..a7f94402 100755
--- a/scripts/setup
+++ b/scripts/setup
@@ -27,6 +27,14 @@ while [[ ! $greenlight =~ ^(y|n)$ ]]; do
     read -p "Should greenlight be included? (y/n): " greenlight
 done
 
+keycloak=""
+if [ "$greenlight" = "y" ]
+then
+    while [[ ! $keycloak =~ ^(y|n)$ ]]; do
+        read -p "Should Keycloak as external Authenficator be included? (y/n): " keycloak
+    done
+fi
+
 https_proxy=""
 while [[ ! $https_proxy =~ ^(y|n)$ ]]; do
     read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy
@@ -141,6 +149,15 @@ then
     sed -i "s/ENABLE_GREENLIGHT.*/#ENABLE_GREENLIGHT=true/" .env
 fi
 
+if [ "$keycloak" == "y" ]
+then
+    sed -i "s/.*ENABLE_KEYCLOAK=.*/ENABLE_KEYCLOAK=true/" .env
+    sed -i "s/.*KEYCLOAK_ADMIN=.*/KEYCLOAK_ADMIN=admin/" .env
+    KEYCLOAK_SECRET=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40)
+    sed -i "s/.*KEYCLOAK_ADMIN_PASSWORD=.*/KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_SECRET/" .env
+    sed -i "s/.*KEYCLOAK_HOSTNAME_STRICT=.*/KEYCLOAK_HOSTNAME_STRICT=false/" .env
+fi
+
 if [ ! "$https_proxy" == "y" ]
 then
     sed -i "s/ENABLE_HTTPS_PROXY.*/#ENABLE_HTTPS_PROXY=true/" .env
@@ -206,6 +223,12 @@ echo "  $ nano .env"
 echo ""
 echo "make sure to recreate the docker-compose.yml after each change"
 echo "  $ ./scripts/generate-compose"
+if [ "$keycloak" == "y" ]
+then
+  echo ""
+  echo "make sure to create the keycloak database before you start the container"
+  echo "  $ ./scripts/setup-keycloak-database"
+fi
 echo ""
 echo "to start bigbluebutton run"
 echo "  $ docker compose up -d"
diff --git a/scripts/setup-keycloak-database b/scripts/setup-keycloak-database
new file mode 100755
index 00000000..adcc895e
--- /dev/null
+++ b/scripts/setup-keycloak-database
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+cd $(dirname $0)/..
+
+function create_database {
+  while ! docker exec $1 nc -zw3 127.0.0.1 5432
+  do
+    echo "Waiting for postgres to start up ..."
+    sleep 1
+  done
+  DATABASE_EXISTS=$(docker exec -u postgres $1 psql -c '\l' | grep "$2")
+  if [ -z "$DATABASE_EXISTS" ]
+  then
+    docker exec -u postgres $1 psql -c "CREATE DATABASE $2;"
+  fi
+}
+
+# load .env
+. scripts/functions.sh
+load_env
+
+KEYCLOAK_DATABASE='keycloakdb'
+
+COMPOSE_PREFIX=$(docker compose ps | grep postgres | awk '{print $1}' | sed 's/-postgres-1//')
+
+if [ -z "$COMPOSE_PREFIX" ]
+then
+  docker run \
+    --rm \
+    --detach --name postgres_tmp \
+    -e POSTGRES_DB=greenlight-v3 \
+    -e POSTGRES_USER=postgres \
+    -e POSTGRES_PASSWORD=${POSTGRESQL_SECRET:-password} \
+    --volume ./postgres-data:/var/lib/postgresql/data \
+    postgres:12-alpine
+  create_database 'postgres_tmp' "$KEYCLOAK_DATABASE" && docker stop postgres_tmp
+else
+  create_database $(docker compose ps | grep postgres | awk '{print $1}') "$KEYCLOAK_DATABASE"
+fi
\ No newline at end of file