Keycloak
Capability scores
Methodology →- Authentication
- 4.5
- SSO & Federation
- 4.5
- Authorization
- 4.0
- Lifecycle & Provisioning
- 3.5
- MFA & Passwordless
- 4.0
- Governance & Audit
- 3.5
- Developer Experience
- 3.5
- Deployment Flexibility
- 5.0
- Pricing Transparency
- 5.0
- Support & Ecosystem
- 3.5
Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.
Overview
Keycloak is the most widely deployed open-source identity and access management server, now a CNCF project with Red Hat as primary sponsor. It provides SSO, OIDC and SAML federation, user federation, social login, and fine-grained authorization out of the box, all self-hosted and free of license fees.
Capability deep-dive
Keycloak's strengths are protocol coverage and flexibility: OIDC, SAML, and OAuth2 are mature, MFA and (increasingly) passkey support are solid, and authorization services plus custom SPIs let you extend almost anything. Realms make multi-tenant setups practical. The trade-offs are operational. You own scaling, high availability, upgrades, and database tuning, and major version jumps (such as the move to Quarkus) have required real migration effort. Lifecycle provisioning and governance reporting are weaker than commercial IGA tools, and the admin console, while capable, has rough edges. With competent platform engineers it is excellent value; without them it can become a maintenance burden.
Pricing
Free and open source under Apache 2.0; self-host at no license cost. Commercial support is available through Red Hat build of Keycloak and various third parties if you want SLAs.
Bottom line
The default open-source IdP for teams that can run it, offering commercial-grade features at zero license cost. Budget for the operational work it requires.