MANAGED KEYCLOAK
Managed Keycloak: SSO, MFA, and federation — without the per-user invoice.
Keycloak is the open-source IdP — and the Okta alternative — that Red Hat ships as its commercial single sign-on product. We deploy, host, and operate it in your cloud, tune the realms, run the cluster, and produce the audit evidence — so identity stops scaling with headcount.
What you get
The capability list, without the tier gates.
SSO across OIDC, OAuth 2.0, SAML 2.0
Spec-compliant tokens, single-sign-out, protocol mappers for every claim shape your apps demand. Same engine the commercial vendors compete with.
MFA in the base distribution
TOTP, WebAuthn / FIDO2, passkeys with conditional UI, recovery codes, and step-up auth via ACR-to-LoA — not gated behind an enterprise tier.
LDAP and Active Directory federation
Bidirectional sync, attribute mapping, scheduled re-sync, SSL-bound connections. The directory you already run stays the source of truth.
Identity brokering
Microsoft Entra ID, Google Workspace, GitHub, and arbitrary OIDC / SAML upstreams configured from the admin console — no code, no custom adapters.
Fine-grained authorization (UMA 2.0)
Resource-level policies — RBAC, ABAC, time-based, scripted — exposed via a policy decision endpoint your services call directly.
Realms, REST API, themes
Hard-isolated multi-tenancy via realms. Every UI action is API-addressable. FreeMarker themes give you a login screen that doesn't look like a vendor page.
Keycloak vs Okta / Auth0 / Entra ID
The honest comparison.
Per-user list pricing as published 2024–2025. Negotiated rates run lower; the curve direction does not change.
| Capability | Managed Keycloak | Okta Workforce | Auth0 (CIAM) | Microsoft Entra ID |
|---|---|---|---|---|
| Pricing model | Flat managed retainer + cloud infra | Per-user/month, $1,500/yr min[5] | Per-MAU + tier jumps[7] | Per-user/month (or M365 bundle)[8] |
| Entry SSO price | Flat — no per-seat | ~$2/user/mo[5] | Free up to 25K B2C MAU[7] | $6.00/user/mo (P1)[8] |
| MFA in base tier | TOTP, WebAuthn/FIDO2, passkeys[3] | Adaptive MFA in higher tiers[5] | Yes (B2C); B2B varies by tier | P2 ($9/user/mo) for risk-based[8] |
| Pre-built integrations | Standards-based (any SAML/OIDC) | 7,000+ in OIN[6] | SDK-led, 30+ languages[7] | Deep M365 / Conditional Access |
| Source code access | Apache 2.0 — full source | Closed | Closed | Closed |
| Vendor lock-in | None — you keep the stack | Export project on exit | Export project on exit | Tied to Microsoft 365 |
More on the per-user math: how teams cut Okta pricing by moving SSO to managed Keycloak. Weighing the platforms feature by feature? Read Keycloak vs Okta: the full comparison.
How we operate
Four phases. One identity team.
Assess
Inventory every SSO-enabled app, document custom flows, map identity sources. Two-week engagement; no commitment beyond it.
Deploy
Three-node HA cluster in your cloud. Postgres Multi-AZ, Infinispan caches, JGroups discovery, health-gated load balancer.
Tune
SAML / OIDC integrations app by app. Adaptive auth flows, theme rebrand, SCIM connectors to the HRIS, audit-evidence pipeline.
Operate
Patch cadence on Keycloak, the JVM, and Postgres. CVE tracking, version upgrades, restore drills. Senior on-call, monthly posture report.
Switching from Okta — or any SSO
Migrate without betting the company on cutover day.
SSO is load-bearing: if it breaks, everyone is locked out of everything at once. So we never flip a switch. We prove the new system against your exact setup first, run it in parallel with your current identity provider, and move one application at a time — every step reversible.
- Proof of concept, in parallel — your production is never touched. We stand up Keycloak configured to your exact use case: your real applications, your protocols (SAML / OIDC), your LDAP / Active Directory federation, your MFA factors and access policies.
- Rigorous testing against that proof of concept. Every application login, token flow, MFA path, and rollback is validated before you commit to anything — whether you are coming from Okta, Microsoft Entra ID, Ping, OneLogin, ADFS, or Google Workspace.
- A written production migration plan. Built from the proven PoC, application by application, with every step independently reversible.
- A parallel production environment. Keycloak runs alongside your existing SSO. Applications cut over one at a time while both systems stay live — any single app can roll back to your old provider in minutes, and the rest are unaffected.
The full phased plan — Keycloak goes live behind Okta, apps move one at a time, then Okta is peeled away layer by layer, with the honest caveats: Okta → Keycloak migration, without a flag day →
Keycloak pricing — mid-tier ROI
1,000 users, 20 apps.
List-price comparison against the SKUs most mid-market workforces actually quote against. Negotiate downward as you see fit.
Annual run-rate, 1,000 users / 20 apps
| Okta Workforce Starter Suite — 1,000 × $6 × 12[5] | $72,000 / yr |
|---|---|
| Okta Workforce Essentials Suite — 1,000 × $17 × 12[5] | $204,000 / yr |
| Microsoft Entra ID P2 — 1,000 × $9 × 12[8] | $108,000 / yr |
| JumpCloud Plus — 1,000 × $21 × 12[10] | $252,000 / yr |
| ThinSky-managed Keycloak (AWS infra + retainer)[12] | $45,000 – $75,000 / yr |
AWS infra: 3-node Keycloak (m5.large) + Postgres Multi-AZ (db.m5.large) + NLB + observability ≈ $9K–$15K/yr. Managed-service retainer covers patch cadence, CVE tracking, restore drills, on-call, and audit-evidence pipeline. The per-user component stays flat as headcount grows; the commercial lines do not.
Common questions
The objections, answered honestly.
Okta has 7,000+ integrations. Doesn't Keycloak fall short?
Yes — Okta's OIN is a real moat for long-tail SaaS with quirky federation. Keycloak speaks SAML 2.0 and OIDC fluently, so spec-compliant apps integrate quickly — typically a same-day exercise, not a project. For most mid-market estates the apps that matter are the standard 50–80 — all clean. If you're carrying 200+ niche SaaS tools and have zero engineering appetite to debug them, the OIN earns its line item.
Does Keycloak get a FedRAMP ATO?
FedRAMP authorises cloud service offerings, not software components — Keycloak itself doesn't carry an ATO. Keycloak can run inside a FedRAMP-authorised hosting environment as one component within that boundary; engagements in those regimes are scoped case-by-case. The IAM controls map to NIST SP 800-53 IA-family without modification.
We don't have JVM operators. Why pay for managed Keycloak instead of just buying SaaS?
Honest question. Keycloak runs well when someone owns the JVM, Postgres, Infinispan caches, and the Quarkus build pipeline — that labour market is not getting easier. The licence is free; the operations are real. Managed delivery is the lever. If your finance team genuinely doesn't notice the per-user line on a SaaS invoice, buy the SaaS.
What about the SSO tax SaaS vendors charge?
Switching IdPs doesn't lower it. Vendors that gate SAML behind enterprise tiers charge that markup whether you authenticate via Okta, Auth0, or Keycloak. What changes is the underlying IAM line — Keycloak removes the headcount-linked component, but the SSO surcharge is downstream of the IdP choice.
Auth0 ships an SDK in our language. What's the equivalent in Keycloak?
Keycloak is OIDC-spec-compliant, so any standard OIDC library works — that's the integration story. There's no equivalent of Auth0's hosted Universal Login as a service. For B2C apps under 25,000 MAU on Auth0's free tier, that DX is hard to beat. Past 25,000 MAU, the price-per-MAU curve is the conversation.
Who's on call when identity breaks at 2 a.m. — and what's the SLA?
A senior engineer, not a tier-1 queue. Support runs on contract-defined Sev-1 response targets — a 4-hour critical-incident response standard — with senior on-call and a monthly posture report. The engineers who built your realm hold the pager, so you're not re-explaining your setup to a stranger mid-outage. We don't publish a blanket uptime percentage we couldn't honour across every customer's own cloud; the SLA we sign is the response commitment, in writing.
Does running our own Keycloak hurt our SOC 2 or ISO 27001?
The opposite — it's operated to produce the evidence. Enforced MFA, quarterly access reviews, immutable audit logs, documented change management, and restore drills feed an audit-evidence pipeline mapped to the SOC 2 Trust Services Criteria and ISO 27001 Annex A. To be clear, this is your certification, not ours — ThinSky isn't selling a SOC 2 badge, we run the identity controls and hand your assessor the audit trail they ask for. Our compliance team does this across SOC 2, ISO 27001, GDPR, PIPEDA, and PCI DSS.
How does managed Keycloak compare to Okta pricing in 2026?
Okta's public pricing stacks per-user, per-tier: roughly $2/user/mo for SSO, $3 for adaptive MFA, $4 for Lifecycle Management, and $9 for Identity Governance — so a workforce running the four headline SKUs is around $18/user/mo, or $108K/yr at 500 users on list (per Okta's published pricing, June 2026). Managed Keycloak from ThinSky is flat: AWS infrastructure plus a managed-service retainer, indicatively $45K–$75K/yr at 1,000 users / 20 apps. The same Keycloak capabilities (SSO, MFA, SAML/OIDC, lifecycle) ship in the open-source distribution — there are no tier gates to unlock them. The break-even against Okta's stacked SKUs lands around 200–300 users; past that, the per-user curve and the flat curve diverge fast.
Can ThinSky migrate us from Okta to Keycloak without downtime?
Not zero — no honest engineer says zero — but no company-wide outage and no single cutover day. Keycloak goes live in parallel behind your existing Okta tenant, your SAML and OIDC apps reconnect one at a time, your LDAP/AD federation is re-pointed once and stays the source of truth, and lifecycle hooks (provisioning, deprovisioning, group sync) are rebuilt against the new IdP. Each app moves on a window you schedule and can roll back independently while every other app continues hitting Okta. Typical mid-market migrations land in 8–12 weeks end to end — assessment, parallel run, app-by-app cutover, then Okta peeled away. Full plan: see the Okta to Keycloak migration page.
What's included in ThinSky managed Keycloak hosting?
Three-node Keycloak HA cluster in your cloud (AWS, Azure, or GCP), Postgres Multi-AZ backend, NLB and observability stack; SSO across SAML 2.0, OIDC, and OAuth 2.0; MFA via TOTP, WebAuthn / FIDO2, and passkeys in the base distribution; LDAP and Active Directory federation; identity brokering to Entra ID, Google Workspace, GitHub, and arbitrary upstreams; lifecycle management and SCIM connectors to your HRIS; immutable audit logs forwarded to your SIEM (Splunk, Datadog, Sumo, Elastic); backup and restore drills; documented break-glass; Keycloak / JVM / Postgres patch cadence and CVE tracking; version upgrades with staged testing; senior on-call with contract-defined Sev-1 response targets; and a monthly posture report. The Keycloak instance lives in your cloud account — your data never leaves your boundary.
Pricing
Managed Keycloak vs Okta pricing 2026.
Okta's public pricing page (as of June 2026) stacks the workforce SKUs per user, per tier — not as a single line item. To get the capability set most teams actually deploy, you assemble them: SSO ($2/user/mo), Adaptive MFA ($3/user/mo), Lifecycle Management ($4/user/mo), and Identity Governance ($9/user/mo). For a 500-person workforce running the stack, that math lands around $18/user/mo, or roughly $108,000/yr at list — before negotiation, before SaaS-side SSO surcharges, before the connector add-ons. Managed Keycloak from ThinSky covers the same capability set on a flat managed retainer plus AWS infrastructure — no per-seat line on the invoice.
| Capability | Okta Workforce (per user / mo) | Managed Keycloak (ThinSky) |
|---|---|---|
| SSO (SAML / OIDC) | ~$2 | Included — flat |
| Adaptive MFA | ~$3 | Included — flat |
| Lifecycle Management | ~$4 | Included — flat |
| Identity Governance | ~$9 | Included — flat |
| 500-user annual run-rate (list) | ~$108,000 / yr | $45,000 – $75,000 / yr |
Okta per-tier list as published on okta.com/pricing, June 2026. Managed Keycloak figure includes AWS infrastructure (3-node HA, Postgres Multi-AZ, NLB, observability) plus ThinSky managed-service retainer. Quoted to your environment.
The structural difference is what compounds. Okta's per-user line grows with every hire; the managed Keycloak retainer does not. The break-even for the four-SKU Okta stack lands around 200–300 users — past that, every additional headcount widens the gap. The longer read on how those line items climb at scale: how Okta's pricing climbs past $100K/yr at scale.
Migration
Migrating from Okta to Keycloak.
Most of what you spent years configuring inside Okta stays the same on the Keycloak side. User identities and group memberships come over from your LDAP / Active Directory source of truth — those didn't live in Okta anyway, so the federation just re-points. SAML and OIDC apps reconnect against Keycloak using the same metadata exchange they used against Okta; the identifiers your SaaS vendors have on file are the only things that need updating, and they update one app at a time. Lifecycle hooks (provisioning, deprovisioning, group-based access) get rebuilt against Keycloak's admin REST API or SCIM connectors, depending on the downstream system. MFA enrolment carries over for WebAuthn / passkey factors; TOTP secrets re-enrol on first login.
ThinSky owns the operational layer of the cutover. We stand up Keycloak in your cloud configured to match your exact Okta realm — same apps, same federation, same authentication flows — and run it in parallel with your existing Okta tenant. Your applications move one at a time on windows you schedule. Any single app can roll back to Okta in minutes; the rest of the estate is untouched. Once every app has moved and stabilised, the Okta tenant is decommissioned. A typical mid-market Okta to Keycloak migration runs 8–12 weeks end to end, with no company-wide outage and no single cutover day.
What ThinSky handles: the deployment, the per-app reconfiguration, the lifecycle rebuild, the parallel-run plan, the rollback procedure, and the senior on-call coverage while both systems are live. What stays yours: the cloud account Keycloak runs in, the LDAP / AD that feeds it, and the audit trail at the end.
What's included
What managed Keycloak hosting includes.
Every line below is in the engagement scope by default. Managed Keycloak hosting is the Keycloak platform plus the operational layer it needs to run in production identity provider mode — in your cloud account, with your audit data never leaving your boundary.
- Three-node HA Keycloak cluster in your AWS, Azure, or GCP account, with Postgres Multi-AZ, Infinispan caches, JGroups discovery, and a health-gated load balancer.
- SSO across SAML 2.0, OIDC, and OAuth 2.0 — spec-compliant tokens, single-sign-out, and protocol mappers for the claim shapes your apps expect.
- MFA in the base distribution — TOTP, WebAuthn / FIDO2, passkeys with conditional UI, recovery codes, and step-up auth via ACR-to-LoA.
- LDAP and Active Directory federation — bidirectional sync, attribute mapping, scheduled re-sync, SSL-bound connections.
- Identity brokering to Microsoft Entra ID, Google Workspace, GitHub, and arbitrary OIDC / SAML upstreams.
- Lifecycle management — SCIM connectors to your HRIS, just-in-time provisioning, scheduled access reviews, and deprovisioning workflows.
- Immutable audit logs forwarded to your SIEM — Splunk, Datadog, Sumo Logic, or Elastic — in your chosen retention tier.
- Backup, restore drills, and uptime monitoring against contract-defined Sev-1 response targets, with senior on-call coverage (not a tier-1 queue).
- Version upgrades and security patching on Keycloak, the JVM, and Postgres — CVE tracking, staged upgrade testing, version pinning, and a monthly posture report.
The Keycloak instance lives in your cloud account. Your data never leaves your boundary. Excluded by default and quoted separately: bespoke realm modelling for very large IdP estates, custom SCIM connector development, and FedRAMP-bounded environment hardening.
Stop paying per seat for SAML.
Thirty minutes with a senior identity engineer. We'll model your five-year IAM run-rate against your actual hiring plan — not a brochure example.
Talk to an Identity Engineer →