MANAGED KEYCLOAK
SSO, MFA, and federation — without the per-user invoice.
Keycloak is the open-source IdP behind half the commercial offerings you've been quoted against. We deploy it in your cloud, tune the realms, run the cluster, and produce the audit evidence — so identity stops scaling with headcount.
What you get
The capability list, without the tier gates.
SSO across OIDC, OAuth 2.0, SAML 2.0
Spec-compliant tokens, single-sign-out, protocol mappers for every claim shape your apps demand. Same engine the commercial vendors compete with.
MFA in the base distribution
TOTP, WebAuthn / FIDO2, passkeys with conditional UI, recovery codes, and step-up auth via ACR-to-LoA — not gated behind an enterprise tier.
LDAP and Active Directory federation
Bidirectional sync, attribute mapping, scheduled re-sync, SSL-bound connections. The directory you already run stays the source of truth.
Identity brokering
Microsoft Entra ID, Google Workspace, GitHub, and arbitrary OIDC / SAML upstreams configured from the admin console — no code, no custom adapters.
Fine-grained authorization (UMA 2.0)
Resource-level policies — RBAC, ABAC, time-based, scripted — exposed via a policy decision endpoint your services call directly.
Realms, REST API, themes
Hard-isolated multi-tenancy via realms. Every UI action is API-addressable. FreeMarker themes give you a login screen that doesn't look like a vendor page.
Keycloak vs Okta / Auth0 / Entra ID
The honest comparison.
Per-user list pricing as published 2024–2025. Negotiated rates run lower; the curve direction does not change.
| Capability | Managed Keycloak | Okta Workforce | Auth0 (CIAM) | Microsoft Entra ID |
|---|---|---|---|---|
| Pricing model | Flat managed retainer + cloud infra | Per-user/month, $1,500/yr min[5] | Per-MAU + tier jumps[7] | Per-user/month (or M365 bundle)[8] |
| Entry SSO price | Flat — no per-seat | ~$2/user/mo[5] | Free up to 25K B2C MAU[7] | $6.00/user/mo (P1)[8] |
| MFA in base tier | TOTP, WebAuthn/FIDO2, passkeys[3] | Adaptive MFA in higher tiers[5] | Yes (B2C); B2B varies by tier | P2 ($9/user/mo) for risk-based[8] |
| Pre-built integrations | Standards-based (any SAML/OIDC) | 7,000+ in OIN[6] | SDK-led, 30+ languages[7] | Deep M365 / Conditional Access |
| Source code access | Apache 2.0 — full source | Closed | Closed | Closed |
| Vendor lock-in | None — you keep the stack | Export project on exit | Export project on exit | Tied to Microsoft 365 |
How we operate
Four phases. One identity team.
Assess
Inventory every SSO-enabled app, document custom flows, map identity sources. Two-week engagement; no commitment beyond it.
Deploy
Three-node HA cluster in your cloud. Postgres Multi-AZ, Infinispan caches, JGroups discovery, health-gated load balancer.
Tune
SAML / OIDC integrations app by app. Adaptive auth flows, theme rebrand, SCIM connectors to the HRIS, audit-evidence pipeline.
Operate
Patch cadence on Keycloak, the JVM, and Postgres. CVE tracking, version upgrades, restore drills. Senior on-call, monthly posture report.
ROI — mid-tier
1,000 users, 20 apps.
List-price comparison against the SKUs most mid-market workforces actually quote against. Negotiate downward as you see fit.
Annual run-rate, 1,000 users / 20 apps
| Okta Workforce Starter Suite — 1,000 × $6 × 12[5] | $72,000 / yr |
|---|---|
| Okta Workforce Essentials Suite — 1,000 × $17 × 12[5] | $204,000 / yr |
| Microsoft Entra ID P2 — 1,000 × $9 × 12[8] | $108,000 / yr |
| JumpCloud Plus — 1,000 × $21 × 12[10] | $252,000 / yr |
| ThinSky-managed Keycloak (AWS infra + retainer)[12] | $45,000 – $75,000 / yr |
AWS infra: 3-node Keycloak (m5.large) + Postgres Multi-AZ (db.m5.large) + NLB + observability ≈ $9K–$15K/yr. Managed-service retainer covers patch cadence, CVE tracking, restore drills, on-call, and audit-evidence pipeline. The per-user component stays flat as headcount grows; the commercial lines do not.
Common questions
The objections, answered honestly.
Okta has 7,000+ integrations. Doesn't Keycloak fall short?
Yes — Okta's OIN is a real moat for long-tail SaaS with quirky federation. Keycloak speaks SAML 2.0 and OIDC fluently, so any spec-compliant app integrates in under an hour. For most mid-market estates the apps that matter are the standard 50–80 — all clean. If you're carrying 200+ niche SaaS tools and have zero engineering appetite to debug them, the OIN earns its line item.
Does Keycloak get a FedRAMP ATO?
FedRAMP authorises cloud service offerings, not software components. Keycloak itself doesn't carry an ATO. ThinSky-managed deployments stand up inside a FedRAMP-authorised hosting environment (AWS GovCloud, Azure Government, GCP for Government) as one component within that authorisation boundary. The IAM controls map to NIST SP 800-53 IA-family without modification.
We don't have JVM operators. Why pay for managed Keycloak instead of just buying SaaS?
Honest question. Keycloak runs well when someone owns the JVM, Postgres, Infinispan caches, and the Quarkus build pipeline — that labour market is not getting easier. The licence is free; the operations are real. Managed delivery is the lever. If your finance team genuinely doesn't notice the per-user line on a SaaS invoice, buy the SaaS.
What about the SSO tax SaaS vendors charge?
Switching IdPs doesn't lower it. Vendors that gate SAML behind enterprise tiers charge that markup whether you authenticate via Okta, Auth0, or Keycloak. What changes is the underlying IAM line — Keycloak removes the headcount-linked component, but the SSO surcharge is downstream of the IdP choice.
Auth0 ships an SDK in our language. What's the equivalent in Keycloak?
Keycloak is OIDC-spec-compliant, so any standard OIDC library works — that's the integration story. There's no equivalent of Auth0's hosted Universal Login as a service. For B2C apps under 25,000 MAU on Auth0's free tier, that DX is hard to beat. Past 25,000 MAU, the price-per-MAU curve is the conversation.
Stop paying per seat for SAML.
Thirty minutes with a senior identity engineer. We'll model your five-year IAM run-rate against your actual hiring plan — not a brochure example.
Talk to an Identity Engineer →