Keycloak
February 22, 2026
What it is
Keycloak is an open source identity and access management (IAM) platform from the Keycloak project (Red Hat). It acts as an identity provider (IdP) for single sign-on (SSO), supporting SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0. You centralize user accounts, roles, and federation (LDAP, Active Directory, social login) in one place; applications delegate authentication to Keycloak.
Usage
- Workforce SSO — One login for internal apps (GitLab, Grafana, internal tools).
- Customer identity — User registration, login, and profile for your own apps (B2C/B2B).
- API security — Issue OAuth2/OIDC tokens for APIs and microservices.
- Federation — Connect to LDAP, Active Directory, or social IdPs (Google, GitHub).
Pros and cons
| Pros | Cons |
|---|---|
| Full SAML, OIDC, OAuth 2.0 support | Heavier footprint (JVM, DB); more ops |
| LDAP/AD integration out of the box | Admin console has a learning curve |
| Themes, custom flows, and extensions | Upgrades can require migration effort |
| Mature, Red Hat–backed, large community | Not ideal for tiny teams or homelab-only |
| Fine-grained authorization (RBAC, ABAC) |
Why choose Keycloak over alternatives
- vs Authentik — Keycloak is more enterprise-oriented, with stronger LDAP/SAML and a longer track record.
- vs Zitadel — Keycloak is self-host–first and better for on-prem/air-gapped; Zitadel is more cloud-native and multi-tenant.
- vs Authelia — Keycloak is a full IdP; Authelia is a forward-auth layer in front of apps, not a replacement for an IdP.
Best when you need one IdP for many apps, SAML for legacy enterprise apps, or LDAP/AD sync.
Suggested tech stack
- Database: PostgreSQL or MySQL/MariaDB (Keycloak’s internal DB).
- Reverse proxy: Nginx, Traefik, or Caddy in front for TLS and routing.
- Containers: Run Keycloak in Docker/Kubernetes; use external DB and persistent volumes.
When to use it
- You have multiple apps (internal or customer-facing) that need SSO.
- You need SAML for legacy or enterprise apps (e.g. Salesforce, Workday).
- You want to federate with LDAP or Active Directory.
- You’re okay running and maintaining a JVM app and a database.
Comparison (Identity & SSO)
| Tool | SAML | OIDC | LDAP/AD | Multi-tenant | Typical use |
|---|---|---|---|---|---|
| Keycloak | ✅ | ✅ | ✅ | Via realms | Enterprise, on-prem, full IdP |
| Authentik | ✅ | ✅ | ✅ | Limited | SMB, modern UI, flows |
| Zitadel | ✅ | ✅ | ✅ | ✅ | SaaS, cloud-native IdP |
| Authelia | ❌ | ✅ | ✅ | N/A | Forward auth, homelab |
Links
- Homepage: https://www.keycloak.org/
- Documentation: https://www.keycloak.org/documentation
- Source: https://github.com/keycloak/keycloak