Alternative Authentification Method for Keycloak Needed?

What is Keycloak?

Keycloak is a well-known open-source Identity and Access Management (IAM) solution that provides authentication and authorization services for applications and services. Due to its open-source nature it is obvious that the software stack is developed, maintained, bug-fixed by the community, and can be used free of charge. Despite this fact, Keycloak serves as the foundation for the renowned commercial offering “Red Hat Single Sign-On.” At the same time, users themselves are responsible for operating and updating both Keycloak itself as well as the underlying infrastructure. Additionally, the user must take care of implementing customizations and adaptations. While Keycloak is often used in smaller deployments, users often complain about the limited scalability when IT environments grow over time.

Keycloak offers a basic and stable set of IAM features around Single Sign-On comprising:

• Basic functions with customization capabilities, e.g., for registration, login, password reset.
• Possibilities to add or change factors.
• Single-Sign-On functionality,
• Passwordless authentication,
• One-time Password (TOTP, HOTP),
• Multi-factor Authentication,
• Supports authentication protocols OpenID Connect, SAML 2.0, OAuth 2.0,
• WebAuthn (FIDO2, U2F),
• LDAP,
• Limited multi-tenancy functionality.

Are there any drawbacks to using Keycloak?

While Keycloak is a popular open-source library for Identity and Access Management, it does come with certain drawbacks that users should be aware of. One of the main limitations is that Keycloak does not offer any cloud service or managed services. This means that users are responsible for setting up and maintaining their own infrastructure. The managers responsible for such se-up often report of a very manual and complicated deployment process.

Another drawback is the lack of official support for Keycloak software. As an open-source project, it relies on community support, which may not always be readily available or timely. Users may have to rely on forums or online communities for help and assistance. Professional support from specialized consultancies is costly and potentially difficult to get if needed in an emergency case.

Keycloak is primarily designed as an authentication and authorization solution, which means that its feature set may be limited compared to more comprehensive identity management platforms. Users looking for advanced features such as customization, true multi-tenancy, or reliable zero-downtime deployments may find Keycloak itself lacking (e.g. Magic Links) in these areas. Some of this additional functionality may be made available by using third-party add-ons. Yet their integration demands patience as the user has to try them out in their own set-up until they are properly working. In particular, branding your own Keycloak solution with logos, texts, colors, language, and other customizations, or setting up rule sets and access rights for groups, special B2B scenarios, are hardly straightforward.

What’s more, scalability can be a concern with Keycloak. While it can handle small to medium-sized deployments effectively, larger-scale implementations (e.g., a couple of hundreds of realms) or directories may require additional configuration and optimization, may lead to a resource hungry environment at slow speed, or do not work out at all. Furthermore, multi-tenancy in a B2B environment does not exist and can only be somehow achieved by utilizing work-arounds with independent realms (directories/branches).

It’s important to consider these drawbacks when evaluating whether Keycloak is the right solution for your specific needs. While it offers flexibility and customization options as an open-source library, users should carefully assess their requirements and consider alternative solutions if they require cloud services, managed services, extensive support, future-proof scalability, or a broader range of features.

Next level Keycloak or Hosted Keycloak Services

Over time, as more and more customers requested an integrated managed operations model, some providers decided to support Keycloak users with an end-to-end Keycloak as-a-service model including operations and support. Consequently, the formerly open-source and free solution mutated to a paid model that nevertheless only tackles some of the disadvantages. Even though the drawbacks related to missing operations and support were eliminated, many other drawbacks rameain, such as limited scalability, a small feature set, or only basic customization capabilities. If you decide to use a hosted Keycloak service, please also make sure to check the GDPR-compliance of the service.

Keycloak: The Right Choice for You?

Keycloak is the perfect choice for organizations looking to build, adopt, and maintain their own Identity and Access Management (IAM) system based on an open-source software stack. The main pre-exquisite is that your organization has enough capable and available engineering and security experts to implement, manage, and support the company’s IAM set-up. As part of this, you should be ready to host your IAM solution yourself or look for a provider to do so. Other important factors you should consider, are

• wheter Keycloak offers all the features your organization needs in the specific way, your organization needs it,
• how much you want to grow in future, as Keycloak is not easy to scale,
• and how much you want to customize your solution.

In conclusion, Keycloak is a great solution for a limited number of use cases. However, if you do not have an experienced engineering and security team with free capacity available and do not exactly know about your future needs, it might be better to partner with a professional IAM provider, e.g., Engity.

The Comfortable Keycloak Alternative: Consider a Fully Integrated Cloud Based IAM Solution

The best alternative to the open-source Keycloak solution is a fully integrated and cloud native Identity and Access Management solution offering end-to-end service. Such an authentication solution should include at least the following features:

• Full feature set of all standard authentication methods, e.g., password, passwordless via Magic Link, SMS or Biometrics, Single Sign-on as well as Social Login functionality, multi-factor authentication, etc.,
• Standard built-in security set, e.g., strong password checker, breached password detection,
• Managed services including regular updates, bug-fixes and uploading of security patches,
• Target group specific operational model, e.g., for corporates or for the Mittelstand, start-ups and grown-ups,
• Future-proof through unlimited scalability,
• Various levels of support,
• Wide variety of branding and customization options across login screen, domains, access rules as well as grouping functionalities,
• Availability of customized solutions for special customer use cases, e.g., allowing user registration without existence of e-mails for all users,
• GDPR-compliance and guaranteed hosting on European servers.

Engity is such a fully integrated cloud based IAM provider with a special focus on the European Mittelstand, start-ups as well as grown-up. Furthermore, Engity has invented the so-called environment technology to support the flexible roll-out of various use cases within one database or directory. For more information about Engity’s product offering, please visit our homepage.

What are the Differences between Keycloak & fully integrated cloud based IAM solutions?

Keycloak and fully integrated IAM vendors, e.g., Engity, have completely different approaches and philosophies about how to tackle online authentication, its operations, software support, scalability as well as further development of new features (e.g. environment technologies, login without personal e-mail) and straightforward usability and feasibility.

Keycloak is an open-source project that relies on a community to update, bugfix and further develop the code. It provides the user with a limited unmanaged feature set with only modest scalability and only without warranties, operations, maintenance and support and legal compliance services. To run Keycloak successfully, a user needs deep knowledge of authentication and security services or must hire an experienced & expensive consultancy to set up and run the IAM environment for them.

In contrast, professional IAM-providers support their customers not only with a feature-rich and innovative feature set but also provide a hassle-free end-to-end cloud-based operational model including hosting, maintenance, bug-fixing, and support. Additionally, users should consider the long term (GDPR-)compliance fo the solution they chose.

From our point of view, these are clear differentiating arguments making Engity as fully integrated IAM provider the better alternative than using Keycloak itself.

Conclusion

The above blog article has shown that fully integrated IAM solutions are often the better alternative to using open-source self-hosted Keyclock software without support, limited scalability, and branding. If you would like to discuss further how to use Engity as an Keycloak alternative or how a migration path might look like, please feel free to contact us.