diff --git a/ci-scripts/rhdh-setup/create_resource.sh b/ci-scripts/rhdh-setup/create_resource.sh
index fd1183a..cea6954 100755
--- a/ci-scripts/rhdh-setup/create_resource.sh
+++ b/ci-scripts/rhdh-setup/create_resource.sh
@@ -2,6 +2,8 @@
 
 export TMP_DIR WORKDIR
 
+POPULATION_CONCURRENCY=${POPULATION_CONCURRENCY:-10}
+
 TMP_DIR=${TMP_DIR:-$(readlink -m .tmp)}
 mkdir -p "$TMP_DIR"
 WORKDIR=$(readlink -m .)
@@ -19,6 +21,7 @@ keycloak_url() {
   if [ ! -f "$f" ]; then
     echo -n "https://$(oc get routes keycloak -n "${RHDH_NAMESPACE}" -o jsonpath='{.spec.host}')" >"$f"
   fi
+  flock -u 4
   cat "$f"
   set +x
 }
@@ -102,17 +105,18 @@ create_cmp() {
 
 create_group() {
   token=$(get_token)
+  groupname="group${0}"
   curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
     -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer '"$token" \
-    --data-raw '{"name": "group'"${0}"'"}'
+    --data-raw '{"name": "'"${groupname}"'"}'
 }
 
 create_groups() {
   echo "Creating Groups in Keycloak"
   refresh_pid=$!
   sleep 5
-  seq 1 "${GROUP_COUNT}" | xargs -n1 -P10 bash -c 'create_group'
+  seq 1 "${GROUP_COUNT}" | xargs -n1 -P"${POPULATION_CONCURRENCY}" bash -c 'create_group'
   kill $refresh_pid
 }
 
@@ -120,10 +124,12 @@ create_user() {
   token=$(get_token)
   grp=$(echo "${0}%${GROUP_COUNT}" | bc)
   [[ $grp -eq 0 ]] && grp=${GROUP_COUNT}
+  username="test${0}"
+  groupname="group${grp}"
   curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
     -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer '"$token" \
-    --data-raw '{"firstName":"test'"${0}"'","lastName":"tester", "email":"test'"${0}"'@test.com", "enabled":"true", "username":"test'"${0}"'","groups":["/group'"${grp}"'"]}'
+    --data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com", "enabled":"true", "username":"'"${username}"'","groups":["/'"${groupname}"'"]}'
 }
 
 create_users() {
@@ -131,7 +137,7 @@ create_users() {
   export GROUP_COUNT
   refresh_pid=$!
   sleep 5
-  seq 1 "${BACKSTAGE_USER_COUNT}" | xargs -n1 -P10 bash -c 'create_user'
+  seq 1 "${BACKSTAGE_USER_COUNT}" | xargs -n1 -P"${POPULATION_CONCURRENCY}" bash -c 'create_user'
   kill $refresh_pid
 }
 
@@ -144,7 +150,7 @@ get_token() {
     echo "Failed to acquire lock"
     exit 1
   }
-  if [ ! -f "$token_file" ] || [ "$(date +%s)" -gt "$(jq -rc '.expires_in_timestamp' "$token_file")" ]; then
+  if [ ! -f "$token_file" ] || [ ! -s "$token_file" ] || [ "$(date +%s)" -gt "$(jq -rc '.expires_in_timestamp' "$token_file")" ]; then
     keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret credential-example-sso -o template --template='{{.data.ADMIN_PASSWORD}}' | base64 -d)
     curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=${keycloak_pass}" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(date -d '30 seconds' +%s)" >"$token_file"
   fi
diff --git a/ci-scripts/rhdh-setup/deploy.sh b/ci-scripts/rhdh-setup/deploy.sh
index e3a18b2..b73fa59 100755
--- a/ci-scripts/rhdh-setup/deploy.sh
+++ b/ci-scripts/rhdh-setup/deploy.sh
@@ -90,8 +90,7 @@ keycloak_install() {
 # shellcheck disable=SC2016,SC1004
 backstage_install() {
     until envsubst <template/backstage/secret-rhdh-pull-secret.yaml | $clin apply -f -; do $clin delete secret rhdh-pull-secret; done
-    envsubst '${RHDH_NAMESPACE} ${OPENSHIFT_APP_DOMAIN}' <template/backstage/app-config.yaml >app-config.yaml
-    until $clin create configmap app-config-rhdh --from-file "app-config-rhdh.yaml=app-config.yaml"; do $clin delete configmap app-config-rhdh; done
+    until $clin create configmap app-config-rhdh --from-file "app-config-rhdh.yaml=template/backstage/app-config.yaml"; do $clin delete configmap app-config-rhdh; done
     envsubst <template/backstage/plugin-secrets.yaml | $clin apply -f -
     helm repo remove "${repo_name}" || true
     helm repo add "${repo_name}" "${RHDH_HELM_REPO}"
@@ -118,6 +117,7 @@ backstage_install() {
         ${RHDH_IMAGE_REGISTRY} \
         ${RHDH_IMAGE_REPO} \
         ${RHDH_IMAGE_TAG} \
+        ${RHDH_NAMESPACE} \
         ' <"$chart_values" | tee "$TMP_DIR/chart-values.yaml" | helm upgrade --install "${RHDH_HELM_RELEASE_NAME}" --devel "${repo_name}/${RHDH_HELM_CHART}" ${version_arg} -n "${RHDH_NAMESPACE}" --values -
     wait_to_start statefulset "${RHDH_HELM_RELEASE_NAME}-postgresql-read" 300 300
     wait_to_start deployment "${RHDH_HELM_RELEASE_NAME}-developer-hub" 300 300
diff --git a/ci-scripts/rhdh-setup/template/backstage/app-config.yaml b/ci-scripts/rhdh-setup/template/backstage/app-config.yaml
index 47d6d0a..1b31948 100644
--- a/ci-scripts/rhdh-setup/template/backstage/app-config.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/app-config.yaml
@@ -9,11 +9,17 @@ catalog:
   providers:
     keycloakOrg:
       default:
-        baseUrl: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth
-        realm: backstage
-        loginRealm: backstage
-        clientId: backstage
+        baseUrl: ${KEYCLOAK_BASE_URL}
+        realm: ${KEYCLOAK_REALM}
+        loginRealm: ${KEYCLOAK_LOGIN_REALM}
+        clientId: ${KEYCLOAK_CLIENT_ID}
         clientSecret: ${KEYCLOAK_CLIENT_SECRET}
+        userQuerySize: 500
+        groupQuerySize: 500
+        schedule:
+          frequency: { minutes: 1 }
+          timeout: { minutes: 1 }
+          initialDelay: { seconds: 15 }
 enabled:
   github: true
   keycloak: true
diff --git a/ci-scripts/rhdh-setup/template/backstage/chart-values.image-override.yaml b/ci-scripts/rhdh-setup/template/backstage/chart-values.image-override.yaml
index 74c8de8..eec7716 100644
--- a/ci-scripts/rhdh-setup/template/backstage/chart-values.image-override.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/chart-values.image-override.yaml
@@ -2,6 +2,12 @@ global:
   clusterRouterBase: ${OPENSHIFT_APP_DOMAIN}
   imagePullSecrets:
     - rhdh-pull-secret
+  dynamic:
+    includes:
+      - dynamic-plugins.default.yaml
+    plugins:
+      - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-keycloak-backend-dynamic
+        disabled: false
 route:
   enabled: true
   host: "{{ .Values.global.host }}"
@@ -58,6 +64,17 @@ upstream:
           secretKeyRef:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
+      - name: KEYCLOAK_BASE_URL
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+      - name: KEYCLOAK_LOGIN_REALM
+        value: "backstage"
+      - name: KEYCLOAK_REALM
+        value: "backstage"
+      - name: KEYCLOAK_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            key: CLIENT_ID
+            name: keycloak-client-secret-backstage
       - name: KEYCLOAK_CLIENT_SECRET
         valueFrom:
           secretKeyRef:
diff --git a/ci-scripts/rhdh-setup/template/backstage/chart-values.yaml b/ci-scripts/rhdh-setup/template/backstage/chart-values.yaml
index 18500ee..2cb1666 100644
--- a/ci-scripts/rhdh-setup/template/backstage/chart-values.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/chart-values.yaml
@@ -2,6 +2,12 @@ global:
   clusterRouterBase: ${OPENSHIFT_APP_DOMAIN}
   imagePullSecrets:
     - rhdh-pull-secret
+  dynamic:
+    includes:
+      - dynamic-plugins.default.yaml
+    plugins:
+      - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-keycloak-backend-dynamic
+        disabled: false
 route:
   enabled: true
   host: "{{ .Values.global.host }}"
@@ -58,6 +64,17 @@ upstream:
           secretKeyRef:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
+      - name: KEYCLOAK_BASE_URL
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+      - name: KEYCLOAK_LOGIN_REALM
+        value: "backstage"
+      - name: KEYCLOAK_REALM
+        value: "backstage"
+      - name: KEYCLOAK_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            key: CLIENT_ID
+            name: keycloak-client-secret-backstage
       - name: KEYCLOAK_CLIENT_SECRET
         valueFrom:
           secretKeyRef: