Keycloak IAM Guide: Open Source SSO & Identity Management
Quick Answer
Keycloak is the open-source identity and access management standard for modern applications. As a CNCF incubating project, it offers SAML 2.0, OIDC/OAuth2, social login, passkeys (v26+), and organizations—all with zero licensing costs for self-hosted deployments. It’s ideal for B2B SaaS, hybrid clouds, and organizations requiring data sovereignty.
Executive Summary
Keycloak has matured into a production-ready, enterprise-grade IAM solution that balances the flexibility of open-source with the capabilities required for complex enterprise deployments. Version 26.5.0 (January 2026) represents the culmination of rapid development focused on performance optimization and administrative scalability.
Key Specifications
| Attribute |
Details |
| Official Name |
Keycloak |
| Latest Version |
26.5.0 (January 06, 2026) |
| Project Governance |
CNCF (Incubating) |
| Documentation |
keycloak.org/documentation |
| License |
Apache 2.0 (Keycloak), Commercial (Red Hat subscription) |
Core Architecture
Standalone Server Application
Keycloak is a standalone server application—not a framework-specific library or BaaS:
- Standalone: Runs independently, communicating via standard protocols (SAML, OIDC)
- Protocol Support: Full OpenID Connect and SAML 2.0 provider
- Centralized: Single sign-on (SSO) across diverse application stacks
Managed vs. Self-Hosted
| Deployment Model |
Cost Structure |
Best For |
| Self-Hosted (OSS) |
$0 License, High operational cost |
Large-scale, custom, data-sovereign apps |
| Managed Keycloak |
Subscription-based |
Small-to-medium teams seeking simplicity |
| Red Hat Build |
Per CPU Core |
Enterprises requiring SLAs and official support |
Authentication Methods
Method Support Matrix
| Method |
Support |
Native Implementation |
| Email/Password |
TRUE |
Native (argon2id hashing) |
| Magic Link |
TRUE |
Native (Flow-based) |
| Social Logins |
TRUE |
Native (Google, GitHub, etc.) |
| SMS OTP |
TRUE |
Extended (requires SPI) |
| Passkeys |
TRUE |
Native (v23+ Preview, v26+ Full) |
| SAML |
TRUE |
Native |
| Anonymous |
TRUE |
Native (Policy-driven) |
| MFA |
TRUE |
Native (TOTP, WebAuthn, SMS) |
Feature Set
Core Features
| Feature |
Status |
Details |
| Session Management |
TRUE |
Centralized monitoring and revocation |
| JWT Handling |
TRUE |
Native issuance, signing, verification |
| RBAC |
TRUE |
Realm Roles (global) and Client Roles (scoped) |
| Passwordless |
TRUE |
WebAuthn, Passkeys, Magic Links |
| User Dashboard |
TRUE |
Account Management Console for end-users |
| Email Templates |
TRUE |
Customizable themes for registration/verification |
| Rate Limiting |
TRUE |
Native brute force detection and request queuing |
Authorization Services
Keycloak provides more than basic RBAC:
| Capability |
Description |
| RBAC |
Global Realm Roles and scoped Client Roles |
| ABAC/PBAC |
Attribute-Based and Policy-Based access control |
| Fine-Grained Authorization |
Complex permissions (e.g., “Can User X edit Document Y?”) |
Deployment
Docker & Kubernetes Support
| Feature |
Status |
| Docker Images |
Official immutable images available |
| Kubernetes Operator |
Automates deployment and management |
| Windows Service |
Windows service support (v26.5.0+) |
High Availability
- Infinispan: Distributed caching and session synchronization
- Persistent Sessions: v26+ enables persistent sessions by default
- Multi-Site HA: Supports highly available multi-site deployments
Database Requirements
| Database |
Support Level |
Notes |
| PostgreSQL |
Widely recommended |
Supports RLS integration |
| MySQL/MariaDB |
Fully supported |
Standard production workloads |
| Microsoft SQL Server |
Supported |
Enterprise environments |
| Oracle |
Supported |
High-end enterprise deployments |
| H2 |
Development/testing only |
Not for production |
Pricing & Total Cost of Ownership
3-Year TCO Analysis (Self-Hosted)
| Cost Component |
3-Year Cost |
| Infrastructure |
~$45,000 (3 VMs + 2 DB/Proxy) |
| Operational Labor |
~$142,200 (3-12 hours/week maintenance) |
| Training & Integration |
~$12,000 - $24,000 |
| Total TCO |
~$199,200 |
Verdict: Self-hosted Keycloak is cost-effective for large-scale or data-sovereign applications, but expensive for small teams due to operational overhead.
SDK Availability
| Technology |
Availability |
Source |
| JavaScript |
Native (keycloak-js) |
Official |
| Node.js |
Native Adapter |
Official |
| Java / Spring Boot |
Native Adapters / Starters |
Official |
| iOS / Android |
AppAuth (Recommended) |
Recommended |
| React Native |
Community (react-native-keycloak) |
Community |
| Flutter |
Community plugins |
Community |
| Python / C# / Apache |
Standard OIDC/SAML libraries |
Standard |
Best For
- B2B SaaS with Multi-Tenancy: “Realms” and “Organizations” enable robust isolation
- Hybrid Cloud Environments: Unifying identities across on-prem AD and cloud OIDC
- Data-Sovereign Applications: Government, healthcare, finance requiring on-premise identity
- Mass-Market Consumer Apps: Millions of users where per-user licensing is prohibitive
Avoid For
- Small, Rapid Prototypes: Setup overhead is a distraction for quick launches
- Environments Requiring Native Webhooks: Webhooks still in high-priority feature request
- Teams Unwilling to Manage Infrastructure: 100% “No-Ops” model is incompatible with self-hosting
Limitations
- Complexity of Customization: SPI requires Java development expertise
- Lack of Native Webhooks: Requires custom Java-based SPIs (as of Jan 2026)
- Database Dependency: Performance sensitive to database latency; persistent sessions require DB uptime
- Operational Overhead: Requires certificate management, TLS, reverse proxies
Comparison
Keycloak vs. Auth0
| Aspect |
Keycloak |
Auth0 |
| Licensing |
Free (self-hosted) |
Expensive (per-MAU) |
| Self-Hosting |
Native (Docker/K8s) |
No |
| Setup |
Complex |
Fast, managed |
| Enterprise Features |
Powerful but complex |
Mature, documented |
| Customization |
Unlimited (SPI) |
Actions (Node.js serverless) |
Keycloak vs. Clerk
| Aspect |
Keycloak |
Clerk |
| Data Ownership |
Your database |
Clerk-hosted only |
| Pricing Model |
Free (self-hosted) |
Per-MAU |
| MFA |
Native (TOTP, WebAuthn, SMS) |
Native (TOTP, SMS) |
| SSO |
Native (SAML/OIDC) |
Paid add-on |
Conclusion
Keycloak stands as the premier open-source IAM solution for enterprises prioritizing data sovereignty, compliance, and cost control at scale. While it demands operational expertise, its zero-license-cost model makes it economically superior for applications with millions of users.
Verdict: Choose Keycloak for B2B SaaS, data-sovereign applications, and large-scale consumer apps where per-user costs would be prohibitive with SaaS providers. Choose managed alternatives (Clerk, WorkOS) for small teams requiring simplicity.
Last Updated: January 20, 2026
Research Source: Keycloak Authentication Provider Research