IAM/SSOOpen source · Apache-2.0
Keycloak
Community project
A self-hosted, Apache-licensed identity server supporting OIDC, SAML, LDAP and Active Directory federation, and built-in MFA. Keycloak moved from Red Hat stewardship to the CNCF in 2023; Red Hat also sells a supported downstream build.
Verified Source: 1
- Product type
- Community project
- Deployment
- On-prem
- Organization size
- SMBMid-marketEnterprise
- Pricing tier
- Free
How Keycloak measures up against the full Identity & Access Management / Single Sign-On taxonomy.
- Single sign-on — supported
- Lets users authenticate once to access many connected applications.
- Directory integration — supported
- Syncs users and groups with an existing directory like Active Directory or HR system.
- Adaptive / conditional access — not supported
- Adjusts login requirements based on device, location, and risk signals.
- Lifecycle provisioning — not supported
- Automatically grants and revokes app access as employees join, move, or leave.
- Multi-factor authentication support — supported
- Enforces a second factor at login as part of the sign-in flow.
- Audit logging — supported
- Records authentication and access events for security and compliance review.
- Pre-built app connectors — not supported
- Ships with ready-made SSO integrations for thousands of common apps.
Alternatives
Other Identity & Access Management / Single Sign-On tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include Keycloak.