Keycloak

What it is

Keycloak is an open source identity and access management (IAM) platform from the Keycloak project (Red Hat). It acts as an identity provider (IdP) for single sign-on (SSO), supporting SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0. You centralize user accounts, roles, and federation (LDAP, Active Directory, social login) in one place; applications delegate authentication to Keycloak.

Usage

• Workforce SSO — One login for internal apps (GitLab, Grafana, internal tools).
• Customer identity — User registration, login, and profile for your own apps (B2C/B2B).
• API security — Issue OAuth2/OIDC tokens for APIs and microservices.
• Federation — Connect to LDAP, Active Directory, or social IdPs (Google, GitHub).

Pros and cons

Why choose Keycloak over alternatives

• vs Authentik — Keycloak is more enterprise-oriented, with stronger LDAP/SAML and a longer track record.
• vs Zitadel — Keycloak is self-host–first and better for on-prem/air-gapped; Zitadel is more cloud-native and multi-tenant.
• vs Authelia — Keycloak is a full IdP; Authelia is a forward-auth layer in front of apps, not a replacement for an IdP.

Best when you need one IdP for many apps, SAML for legacy enterprise apps, or LDAP/AD sync.

Suggested tech stack

• Database: PostgreSQL or MySQL/MariaDB (Keycloak’s internal DB).
• Reverse proxy: Nginx, Traefik, or Caddy in front for TLS and routing.
• Containers: Run Keycloak in Docker/Kubernetes; use external DB and persistent volumes.

When to use it

• You have multiple apps (internal or customer-facing) that need SSO.
• You need SAML for legacy or enterprise apps (e.g. Salesforce, Workday).
• You want to federate with LDAP or Active Directory.
• You’re okay running and maintaining a JVM app and a database.

Comparison (Identity & SSO)

Links

• Homepage: https://www.keycloak.org/
• Documentation: https://www.keycloak.org/documentation
• Source: https://github.com/keycloak/keycloak