What is Keycloak? Open-Source Identity & Access Management Explained (2026)

Keycloak replaces Auth0, Okta & co. as self-hosted identity and access management – without per-user license costs. What the open-source IAM means for decision-makers: substitution, advantages, GDPR, cost.
3 min readMatthias RadscheitMatthias Radscheit
Happycodingen-US

TL;DR

Keycloak is an open-source identity and access management (IAM) system: single sign-on, user and role management, OIDC/OAuth2/SAML and AD/LDAP federation – operated by you instead of rented. It replaces per-user licensed identity services like Auth0, Okta or Azure AD B2C. Three things matter for decision-makers: costs do not scale with user count, identity data stays on your own EU infrastructure (GDPR), and as a CNCF project with Red Hat origins its future is unusually well secured. Managed IdPs remain right for small teams without ops capacity.

  • Keycloak replaces identity SaaS like Auth0, Okta, Azure AD B2C, AWS Cognito – and the riskiest option of all, homegrown auth.
  • The cost-model difference: no license, no fee per monthly active user – the decisive lever at five- to six-digit user counts.
  • Identity data (your most sensitive asset) stays self-hosted on EU infrastructure – GDPR solved structurally, not contractually.
  • Full protocol breadth: OIDC, OAuth2, SAML, LDAP/Active Directory federation – legacy applications included.
  • The honest limit: without ops ownership (updates, HA, monitoring), a managed IdP is the safer path.
Definition: Keycloak
Keycloak is an open-source identity and access management (IAM) system: single sign-on, user management, roles and permissions, multi-factor authentication and identity brokering via OIDC, OAuth2 and SAML – self-hostable on your own infrastructure, created at Red Hat and today a Cloud Native Computing Foundation (CNCF) project.

Few infrastructure decisions carry more hidden weight in 2026 than the identity question: who manages your customers’ and employees’ logins, roles and sessions – and at what price? SaaS identity services bill per active user, which can turn growing portals into the most expensive line of the cloud bill. And they manage the most sensitive data asset there is: identities. Keycloak is the open-source answer to both.

Which products does Keycloak replace?

Keycloak takes over the identity layer: login and SSO across all applications, user and role management, MFA, self-service (password reset, profile) and federation of existing directories. Depending on your starting point, it substitutes very different systems:

SystemModelWhen Keycloak is the alternative
Auth0 (Okta)SaaS IdP, plans scale with monthly active users (MAU)when user counts drive cost or data sovereignty is required
Okta WorkforceSaaS, priced per user/monthwhen you want workforce SSO without a per-head subscription
Microsoft Entra ID (B2C/External ID)cloud IdP in the Microsoft ecosystemwhen customer portals should run free of Microsoft coupling and pricing logic
AWS Cognitocloud IdP, usage-basedwhen you want to avoid AWS lock-in or need flows beyond Cognito’s customisation limits
Firebase AuthGoogle Cloud servicewhen the app prototype grows into a B2B product with roles, SSO and compliance requirements
Homegrown authself-built login/session logicKeycloak replaces the riskiest build of all – security logic should not be handwritten

For context: Keycloak does not replace your CRM or your application’s user data model – it is the authentication and authorisation layer in front of them. In our projects it often works alongside Supabase: Supabase Auth for lean single apps, Keycloak once SSO across multiple applications, directory federation or fine-grained roles come into play.

The advantages of an open-source IAM

  • No per-user license costs: whether 1,000 or 500,000 users – software cost stays zero. With SaaS IdPs, the MAU bill is the biggest hidden scaling cost.
  • Data sovereignty over your most sensitive asset: identities, credentials and sessions live on your EU infrastructure – no third-country transfers, short processing chains, full audit control.
  • Full protocol and legacy breadth: OIDC, OAuth2 and SAML for modern and legacy systems alike, LDAP/Active Directory federation for existing directories.
  • Customisable authentication flows: registration, step-up MFA, custom login journeys and server extensions (SPIs) – without waiting for a vendor roadmap.
  • Exit security and governance: the service keeps running regardless of any vendor’s pricing or product moves – and as a CNCF project with Red Hat origins, Keycloak is unusually broadly backed.
  • White-labelling included: login screens run under your brand and domain – no third-party badge at the most sensitive moment of the user relationship.

The architecture in 90 seconds

Keycloak organises identities in realms (separate tenants, e.g. customers vs. employees); applications connect as clients via OIDC or SAML. Existing user bases attach through user federation (LDAP, Active Directory), external identities join via identity brokering (e.g. “log in with Google” or a partner IdP). MFA, passkeys/WebAuthn and session management are core features; login themes and server extensions (SPIs) make flows and appearance customisable. Technically, Keycloak runs as a container on the Quarkus runtime – from a single instance to a highly available cluster.

When Keycloak fits – and when it does not

Honest is honest: a managed IdP is the right choice if no team can own operations – identity is critical infrastructure, and updates and availability are table stakes. For a single lean app, Supabase Auth is often enough. Keycloak plays to its strengths when SSO connects multiple applications, directories need federation, B2B portals require fine-grained roles, compliance demands data sovereignty – or the SaaS IdP’s MAU bill becomes a strategic burden.

Operations and cost for decision-makers

Open source shifts cost from licenses to project and operations: a Keycloak setup including integration ranges in our project classes from a focused MVP (€8,000–20,000) to a full portal integration (€20,000–60,000); EU operations sit in the low three-digit range per month. We have calculated what the stack really costs, transparently: Supabase and Keycloak – what this stack really costs (German).

How we combine Keycloak with Supabase and Next.js for B2B web apps is on our service page Supabase development.

Frequently asked questions

Can Keycloak be operated in a GDPR-compliant way?
Yes – structurally more easily than any US identity service: Keycloak runs self-hosted on EU infrastructure; identity data, credentials and sessions stay fully under your responsibility with no third-country transfer. What remains are the services you choose to connect. We typically operate Keycloak on Hetzner in Germany – including audit logging for evidence obligations.
What does Keycloak really cost?
The software: nothing – no license, no per-user fee. What you actually budget is setup and operations: a focused setup from €8,000–20,000, a full portal integration €20,000–60,000, operations in the low three-digit monthly range. The benchmark: SaaS IdPs bill per active user – as portals grow, so does the invoice.
Which systems does Keycloak replace, concretely?
Identity SaaS like Auth0, Okta, Microsoft Entra External ID (Azure AD B2C), AWS Cognito or Firebase Auth – and homegrown auth. It does not replace your application’s user data model or a CRM: Keycloak is the authentication and authorisation layer in front of them.
How future-proof is Keycloak – what if the project ends?
Keycloak is among the most broadly backed open-source projects in its class: created at Red Hat, a Cloud Native Computing Foundation project since 2023, with a large community and commercial backing (Red Hat Build of Keycloak). And even in the extreme case, the open-source advantage holds: your deployment keeps running, and migrations happen on your terms.
Does Keycloak support MFA, passkeys and modern security standards?
Yes: multi-factor authentication (TOTP, WebAuthn), passkeys, brute-force protection, session policies and step-up authentication are core features. Add fine-grained authorisation and customisable authentication flows – for example different requirements per application or user group.
How does Keycloak integrate with Active Directory and legacy systems?
Through user federation, Keycloak attaches existing LDAP and Active Directory directories – users remain mastered in the directory, SSO comes on top. For applications, protocol breadth is what counts: modern apps speak OIDC, older enterprise systems SAML – Keycloak serves both simultaneously.
How much effort is a migration from Auth0, Okta or Cognito?
Plannable: user bases can be exported and imported; Keycloak takes over password hashes directly depending on the source format, or via gradual migration at first login. The real work is in the clients (redirect URIs, token claims, role mapping) – manageable per application, in total a question of how many applications you have.
Do we need our own team to operate it?
No, but you need clear ownership: identity is critical infrastructure – updates, availability and monitoring must be covered. Either your team takes over after handover and training, or operations run through a technical retainer. Without either, a managed IdP is the more honest choice.

Sources

Related articles

Open for select projects

Let's talk about your project

Book a no-obligation call, send us an email, or use the form – we'd love to hear from you.

150+
Completed projects
15
Years of experience
8
Senior‑level team members