Technology pageAUTH · SSOTier 2

Keycloak

The reference open source solution for authentication, SSO and identity management, sovereign and self-hostable.

First callAll technologies
The topicWhat we're talking about

Keycloak has become the open source standard for authentication, SSO (Single Sign-On) and enterprise identity management. Originally from Red Hat, now under CNCF stewardship, it covers OAuth2, OpenID Connect, SAML 2.0, LDAP/Active Directory federation and multi-tenancy. For an SMB that needs to centralize access (internal applications, customer portals, B2B partners), it's the credible and sovereign alternative to proprietary solutions (Auth0, Okta) without the per-user billing.

My opinionMy owned point of view

My take on Keycloak: it's the tool I deploy as soon as you have 3 or more applications to authenticate, or a need for cross-cutting SSO.

Its real strength is unifying your heterogeneous identity systems: Identity Providers let you plug in Google, Microsoft, GitHub or any other OIDC/SAML source in minutes; User Federation directly absorbs your existing LDAP or Active Directory directory with no data migration.

Concretely, you federate the historical AD of your employees, your internal customer accounts and your partners' social logins under a single authentication plane: exactly what proprietary solutions (Auth0, Okta) charge a premium for. I point you to it whenever per-user cost becomes a concern: above 100-200 active users, Auth0/Okta quickly become more expensive than well-operated self-hosted Keycloak.

Relevant when
  • 3 or more applications to authenticate with cross-cutting SSO
  • LDAP/Active Directory federation needed (enterprise with existing directory)
  • Multi-tenant portal (customers, partners, providers with distinct roles)
  • Compliance or sovereignty requiring identity data hosted with you
  • Above 100-200 active users: significant savings vs Auth0/Okta
Skip it when
  • ×1-2 simple applications without SSO: application middleware suffices
  • ×Team without DevOps culture: Keycloak maintenance needs attention (updates, backups, monitoring)
  • ×Need for ultra-customized auth UX: Auth0/Clerk go further out-of-the-box
  • ×Small project without sovereignty constraint: Auth0 free tier is enough up to 7,000 MAU
+ Alternatives to considerOther paths depending on your profile
  • Auth0 / OktaSaaS without maintenance, good choice under 100-200 active users or if you want zero infra to manage
  • ClerkExcellent auth UX for modern applications (Next.js, React), younger SaaS but very polished
  • AuthentikMore modern and lighter open source alternative to Keycloak, good choice if starting fresh and not needing legacy SAML
  • NextAuth / Auth.jsLightweight application-level auth for a single app: Keycloak would be overkill
My approachHow I tackle it concretely
  1. 01

    Container deployment (Docker, Kubernetes) with externalized PostgreSQL database

  2. 02

    Dedicated realm per project or per tenant: clean configuration isolation

  3. 03

    Provider configuration (OIDC for web, SAML for legacy apps, LDAP for federation)

  4. 04

    Custom themes for client branding on login pages

  5. 05

    Automated realm backups + monitoring (Prometheus / Grafana): Keycloak is critical, monitoring is non-negotiable

+ Related servicesOfferings associated with this tech
APP

Custom application development

Save time by automating your repetitive tasks.

SEC

Hardening & backup

Reduce the attack surface, harden access, guarantee tested and restorable backups.

Frequently asked questionsAbout this technology specifically
  • Keycloak or Auth0/Okta: how to choose?
    Keycloak if you want control (data, flat cost, deep customization) and have a technical team to operate it. Auth0/Okta if you want SaaS without maintenance and the per-user cost remains acceptable. The economic tipping point sits around 100-200 active users: below that Auth0 stays competitive (often free), above it self-hosted Keycloak becomes significantly more economical.
  • How much does a Keycloak deployment cost?
    For an initial deployment with 1-2 realms, 3-5 connected applications, simple LDAP federation: expect 2 to 5 days depending on complexity. For wider integration (multi-tenant, custom themes, legacy SAML), 5 to 10 days. Hosting is modest: a €15-40/month VPS suffices for thousands of users.
  • Is Keycloak really maintained long-term?
    Yes. Project originally Red Hat, transferred to CNCF in 2023 (Cloud Native Computing Foundation): neutral governance, very active community, regular releases. Red Hat continues to fund development via its commercial offering (Red Hat build of Keycloak), but the open source project is independent and sustainable. Massive adoption in large enterprises and the public sector.
  • Which applications can connect to Keycloak?
    Roughly all modern applications. Web side: Next.js, Symfony, Laravel, FastAPI, any framework supporting OIDC or OAuth2 (nearly all). Legacy side: SAML 2.0 covers most older enterprise apps. For mobile apps, the OAuth2 PKCE flow is native. Official SDKs exist for Java, JavaScript, Python, .NET, and the main platforms.
  • And Keycloak's own security?
    Keycloak is one of the most scrutinized attack targets in the domain: its security is very closely watched. Essential best practices: maintained version (no EOL version), admin access restricted to internal network, TLS everywhere, audit log enabled, encrypted backups. Properly deployed, it's safer than custom auth; poorly deployed, it becomes a critical target. That's exactly the operational discipline question.
AUTH · SSO

A project involving Keycloak?

Describe your context: I'll suggest the right level of investment.

First call
05 /Contact

Let's talk aboutyour project.

Describe your need in a few lines. Reply within 24h to plan next steps, detailed quote within 48h.

  • 24h response
  • NDA on request

By sending this form, you agree that your information will be used to respond to your request. Stored for 3 years, never shared with third-party advertisers. Learn more

Bordeaux & Nouvelle-Aquitaine