Few infrastructure decisions carry more hidden weight in 2026 than the identity question: who manages your customers’ and employees’ logins, roles and sessions – and at what price? SaaS identity services bill per active user, which can turn growing portals into the most expensive line of the cloud bill. And they manage the most sensitive data asset there is: identities. Keycloak is the open-source answer to both.
Which products does Keycloak replace?
Keycloak takes over the identity layer: login and SSO across all applications, user and role management, MFA, self-service (password reset, profile) and federation of existing directories. Depending on your starting point, it substitutes very different systems:
| System | Model | When Keycloak is the alternative |
|---|---|---|
| Auth0 (Okta) | SaaS IdP, plans scale with monthly active users (MAU) | when user counts drive cost or data sovereignty is required |
| Okta Workforce | SaaS, priced per user/month | when you want workforce SSO without a per-head subscription |
| Microsoft Entra ID (B2C/External ID) | cloud IdP in the Microsoft ecosystem | when customer portals should run free of Microsoft coupling and pricing logic |
| AWS Cognito | cloud IdP, usage-based | when you want to avoid AWS lock-in or need flows beyond Cognito’s customisation limits |
| Firebase Auth | Google Cloud service | when the app prototype grows into a B2B product with roles, SSO and compliance requirements |
| Homegrown auth | self-built login/session logic | Keycloak replaces the riskiest build of all – security logic should not be handwritten |
For context: Keycloak does not replace your CRM or your application’s user data model – it is the authentication and authorisation layer in front of them. In our projects it often works alongside Supabase: Supabase Auth for lean single apps, Keycloak once SSO across multiple applications, directory federation or fine-grained roles come into play.
The advantages of an open-source IAM
- No per-user license costs: whether 1,000 or 500,000 users – software cost stays zero. With SaaS IdPs, the MAU bill is the biggest hidden scaling cost.
- Data sovereignty over your most sensitive asset: identities, credentials and sessions live on your EU infrastructure – no third-country transfers, short processing chains, full audit control.
- Full protocol and legacy breadth: OIDC, OAuth2 and SAML for modern and legacy systems alike, LDAP/Active Directory federation for existing directories.
- Customisable authentication flows: registration, step-up MFA, custom login journeys and server extensions (SPIs) – without waiting for a vendor roadmap.
- Exit security and governance: the service keeps running regardless of any vendor’s pricing or product moves – and as a CNCF project with Red Hat origins, Keycloak is unusually broadly backed.
- White-labelling included: login screens run under your brand and domain – no third-party badge at the most sensitive moment of the user relationship.
The architecture in 90 seconds
Keycloak organises identities in realms (separate tenants, e.g. customers vs. employees); applications connect as clients via OIDC or SAML. Existing user bases attach through user federation (LDAP, Active Directory), external identities join via identity brokering (e.g. “log in with Google” or a partner IdP). MFA, passkeys/WebAuthn and session management are core features; login themes and server extensions (SPIs) make flows and appearance customisable. Technically, Keycloak runs as a container on the Quarkus runtime – from a single instance to a highly available cluster.
When Keycloak fits – and when it does not
Honest is honest: a managed IdP is the right choice if no team can own operations – identity is critical infrastructure, and updates and availability are table stakes. For a single lean app, Supabase Auth is often enough. Keycloak plays to its strengths when SSO connects multiple applications, directories need federation, B2B portals require fine-grained roles, compliance demands data sovereignty – or the SaaS IdP’s MAU bill becomes a strategic burden.
Operations and cost for decision-makers
Open source shifts cost from licenses to project and operations: a Keycloak setup including integration ranges in our project classes from a focused MVP (€8,000–20,000) to a full portal integration (€20,000–60,000); EU operations sit in the low three-digit range per month. We have calculated what the stack really costs, transparently: Supabase and Keycloak – what this stack really costs (German).
How we combine Keycloak with Supabase and Next.js for B2B web apps is on our service page Supabase development.
