Keycloak
Open-source Java-based IDP. Enterprise-grade self-hosted SSO + SAML, heavy to operate.
VISIT KEYCLOAKQuick facts
- CategorySelf-hosted
- LanguageJava
- PricingOpen source
- LicenseApache-2.0
- Created2014
- GitHub stars26.8k
- HIPAA-eligibleYes (BAA)
- SSO / SAMLOut of box
What it is
Keycloak is the open-source IDP backed by Red Hat. Enterprise-grade — SSO, SAML, OIDC, federation, fine-grained authorisation. Java-based, heavy to operate, comprehensive. Used heavily in government, large enterprise, and self-hosted-by-policy environments.
Best for
- Government / public sector with self-hosted-only requirements
- Large enterprises with existing Java + Red Hat stack
- Multi-tenant SaaS that wants identity in their own infrastructure
When not to pick it
Skip Keycloak for small teams — operational overhead is real. Skip if you do not need self-hosted; SaaS will save engineering time.
My take
Keycloak is the right answer for serious self-hosted SSO. The operational cost is real and the JVM footprint is heavy. For small / mid-market teams, SaaS auth wins.
Links
Compare Keycloak side-by-side
Similar tools you should also consider
FusionAuth
Self-hosted auth from a US team. Lighter than Keycloak, paid for support, free for self-hosting.
Read the take →Authentik
Modern open-source self-hosted IDP. Python-based, lighter than Keycloak.
Read the take →Ory
Cloud-native open-source identity stack — Kratos (auth), Hydra (OAuth2), Keto (authorisation).
Read the take →If Keycloak is your pick — the next conversation is short
The 30-min call is where your auth choice becomes a real architecture, a migration plan if you are switching, and a price range you can take to your stakeholders. Describe your stack, your scale, your compliance constraints. I tell you whether Keycloak is genuinely your fit.