Nacho
Keycloak IAM Provider
Open-source (Apache 2.0) IAM/CIAM by Red Hat. Zero licensing cost with unlimited users. Most feature-rich open-source option with full SPI extensibility. Requires self-hosting and DevOps expertise.
Features
- AWSAzureGCP
If you want to compare IAM features of different providers, please check out the (C)IAM Identity Providers benchmark.
Looking for Keycloak’s OpenID Connect protocol compatibility? View Keycloak on the OpenID Connect Providers benchmark.
Frequently Asked Questions
Does Keycloak support Username and Password authentication method?
Keycloak supports Username and Password authentication method. Read more
Does Keycloak support Social Sign-in authentication method?
Keycloak supports Social Sign-in authentication method. 12+ built-in providers plus any custom OIDC or SAML identity provider. Read more
Does Keycloak support Passkey authentication method?
Keycloak supports Passkey authentication method. WebAuthn passwordless and two-factor authentication. Read more
Does Keycloak support Email Passwordless authentication method?
Keycloak supports Email Passwordless authentication method. Email OTP for passwordless authentication. Read more
Does Keycloak support Phone Passwordless authentication method?
Keycloak partially supports Phone Passwordless authentication method. Phone OTP via custom SPI extension or third-party provider. No built-in SMS gateway. Read more
Does Keycloak support Magic Link authentication method?
Keycloak partially supports Magic Link authentication method. Magic link via custom authenticator SPI. Not available out-of-the-box. The p2-inc/keycloak-magic-link extension is the most widely used community solution. Read more
Does Keycloak support Anonymous / Guest authentication method?
Keycloak does not support Anonymous / Guest authentication method. Keycloak requires user identity for authentication. Anonymous/guest sessions are not a built-in feature.
Does Keycloak support Time-based One-Time Password (TOTP) MFA?
Keycloak supports Time-based One-Time Password (TOTP) MFA. Read more
Does Keycloak support HMAC-based One-Time Password (HOTP) MFA?
Keycloak supports HMAC-based One-Time Password (HOTP) MFA. HOTP (counter-based OTP) supported alongside TOTP. Read more
Does Keycloak support Universal 2nd Factor (U2F) MFA?
Keycloak supports Universal 2nd Factor (U2F) MFA. WebAuthn security keys for U2F-style authentication. Read more
Does Keycloak support WebAuthn MFA?
Keycloak supports WebAuthn MFA. Read more
Does Keycloak support Email Code MFA?
Keycloak supports Email Code MFA. Read more
Does Keycloak support Phone Code MFA?
Keycloak partially supports Phone Code MFA. SMS OTP via SPI extension. No built-in SMS provider. Read more
Does Keycloak support Recovery Code MFA?
Keycloak supports Recovery Code MFA. Recovery Codes are a built-in required action since Keycloak 22+. Single-use backup codes generated at MFA enrollment. Read more
Does Keycloak support Push Notification MFA?
Keycloak does not support Push Notification MFA. No built-in push notification MFA. Community extensions exist (e.g. ba-itsys/keycloak-push-mfa-extension) but are not officially maintained. Read more
Does Keycloak support Adaptive / Risk-Based MFA MFA?
Keycloak does not support Adaptive / Risk-Based MFA MFA. No built-in adaptive/risk-based MFA. Can be implemented via custom SPI or community extensions such as mabartos/keycloak-adaptive-authn. Read more
Does Keycloak support Cisco Duo MFA?
Keycloak partially supports Cisco Duo MFA. Cisco Duo provides official SSO integration via OIDC/SAML. For direct authenticator-level integration, the community-maintained instipod/DuoUniversalKeycloakAuthenticator extension (tested with Keycloak 26.x) is available. Read more
Does Keycloak support Step-Up Authentication MFA?
Keycloak supports Step-Up Authentication MFA. Read more
Does Keycloak support OpenID Connect (OIDC) integration protocol?
Keycloak supports OpenID Connect (OIDC) integration protocol. Read more
Does Keycloak support SAML 2.0 integration protocol?
Keycloak supports SAML 2.0 integration protocol. Read more
Does Keycloak support WS-Federation integration protocol?
Keycloak does not support WS-Federation integration protocol. WS-Federation is not natively supported. A community extension (cloudtrust/keycloak-wsfed) exists but is not officially maintained or vetted by the Keycloak team. Read more
Does Keycloak support Machine-to-Machine (M2M) Authentication integration protocol?
Keycloak supports Machine-to-Machine (M2M) Authentication integration protocol. OAuth 2.0 client credentials grant natively supported. Read more
Does Keycloak support OpenID Connect (OIDC) Federation identity federation?
Keycloak supports OpenID Connect (OIDC) Federation identity federation. Read more
Does Keycloak support SAML 2.0 Federation identity federation?
Keycloak supports SAML 2.0 Federation identity federation. Read more
Does Keycloak support Active Directory / LDAP identity federation?
Keycloak supports Active Directory / LDAP identity federation. Full LDAP and Active Directory federation with read/write sync. Read more
Does Keycloak support Azure Active Directory (Entra ID) identity federation?
Keycloak supports Azure Active Directory (Entra ID) identity federation. Azure AD/Entra ID federation via OIDC or SAML identity brokering. Read more
Does Keycloak support Bulk User Import user management?
Keycloak supports Bulk User Import user management. Import users via Admin REST API (POST /admin/realms/{realm}/users), Partial Import API, or LDAP sync. Read more
Does Keycloak support Password Hash Import (Multiple Formats) user management?
Keycloak supports Password Hash Import (Multiple Formats) user management. Import password hashes via Admin API with custom hashing algorithm support. Read more
Does Keycloak support Bulk User Export user management?
Keycloak supports Bulk User Export user management. Export users via Admin REST API or realm export. Read more
Does Keycloak support Bulk User Update / Delete user management?
Keycloak supports Bulk User Update / Delete user management. Bulk operations via Admin REST API. Read more
Does Keycloak support Upsert on Import user management?
Keycloak supports Upsert on Import user management. Partial Import API supports OVERWRITE, SKIP, and FAIL conflict strategies, enabling upsert behavior. Read more
Does Keycloak support Legacy Username Import (Non-Allowed Characters) user management?
Keycloak partially supports Legacy Username Import (Non-Allowed Characters) user management. Keycloak accepts a broad Unicode range via regex but username character handling is version-dependent. Spaces, CJK characters, and special symbols have caused regressions between versions (e.g., v23→v24). Import success depends on Keycloak version and specific characters involved.
Does Keycloak support MFA Enrollment Import user management?
Keycloak supports MFA Enrollment Import user management. TOTP secrets can be imported via the JSON realm import format or the admin REST API using the credentials array with fields: secret (BASE32), digits, period, and algorithm. Read more
Does Keycloak support Inbound SCIM Provisioning user management?
Keycloak does not support Inbound SCIM Provisioning user management. No built-in SCIM support. Community extensions are available. Read more
Does Keycloak support Outbound SCIM Provisioning user management?
Keycloak does not support Outbound SCIM Provisioning user management.
Does Keycloak support SCIM Groups Provisioning user management?
Keycloak does not support SCIM Groups Provisioning user management.
Does Keycloak support Just-In-Time (JIT) User Provisioning user management?
Keycloak supports Just-In-Time (JIT) User Provisioning user management. JIT user provisioning during first federation login. Read more
Does Keycloak support Lazy / Trickle Migration from Legacy Database user management?
Keycloak supports Lazy / Trickle Migration from Legacy Database user management. Lazy migration via User Storage SPI for gradual migration from existing user stores. Read more
Does Keycloak support Self-Service Profile Management Portal user management?
Keycloak supports Self-Service Profile Management Portal user management. Keycloak Account Console for self-service profile, MFA, and session management. Read more
Does Keycloak support User Account Linking user management?
Keycloak supports User Account Linking user management. Link multiple identity providers to a single Keycloak account. Read more
Does Keycloak support User Blocking / Banning user management?
Keycloak supports User Blocking / Banning user management. Disable user accounts to prevent authentication via the Admin Console or Admin REST API. Read more
Does Keycloak support User Metadata user management?
Keycloak supports User Metadata user management. Custom user attributes stored as user attributes in Keycloak. Read more
Does Keycloak support Application Metadata user management?
Keycloak supports Application Metadata user management. Client attributes (custom metadata per client/application) can be stored via the Admin REST API. Read more
Does Keycloak support Metadata Size Limits user management?
Keycloak partially supports Metadata Size Limits user management. Attribute value limits are database-level constraints, not formally documented in official docs. Unmanaged attributes support up to ~2048 characters in recent versions (extended from the historical 255-char limit). Limits are deployment-dependent.
Does Keycloak support User Search user management?
Keycloak supports User Search user management. Read more
Does Keycloak support Role-Based Access Control (RBAC) user management?
Keycloak supports Role-Based Access Control (RBAC) user management. Realm roles and client roles with composite roles support. Read more
Does Keycloak support Organizations (Multi-Tenancy B2B) user management?
Keycloak supports Organizations (Multi-Tenancy B2B) user management. Organizations feature (since v26.0) and Realms for full tenant isolation. Read more
Does Keycloak support Password Strength Policies user management?
Keycloak supports Password Strength Policies user management. Read more
Does Keycloak support Username Restrictions user management?
Keycloak supports Username Restrictions user management. Username validation via user profile validators (regex, length) configurable per realm. Read more
Does Keycloak support Progressive Profiling / Forms user management?
Keycloak supports Progressive Profiling / Forms user management. Progressive profiling supported since Keycloak v24.0. Read more
Does Keycloak support Attribute-Based Access Control (ABAC) access control?
Keycloak supports Attribute-Based Access Control (ABAC) access control. Attribute-based access control via Keycloak Authorization Services. Read more
Does Keycloak support Fine-Grained Authorization (FGA / ReBAC) access control?
Keycloak supports Fine-Grained Authorization (FGA / ReBAC) access control. Resource, scope, and policy-based authorization via Keycloak Authorization Services. Read more
Does Keycloak support API Authorization (Scopes / Permissions) access control?
Keycloak supports API Authorization (Scopes / Permissions) access control. Read more
Does Keycloak support Audit Log Retention security feature?
Keycloak supports Audit Log Retention security feature. Read more
Does Keycloak support Audit Log Streaming security feature?
Keycloak partially supports Audit Log Streaming security feature. Event listener SPI supports syslog, JSON, and Gelf log handlers. Read more
Does Keycloak support Security Center (Threat Monitoring Dashboard) security feature?
Keycloak does not support Security Center (Threat Monitoring Dashboard) security feature.
Does Keycloak support Encryption at Rest security feature?
Keycloak supports Encryption at Rest security feature. Encryption at rest via database-level Transparent Data Encryption (TDE) or filesystem/block-device encryption. Operator-dependent; Keycloak itself does not encrypt data at rest by default. Read more
Does Keycloak support Encryption in Transit security feature?
Keycloak supports Encryption in Transit security feature. TLS/HTTPS is supported and configurable. Keycloak recommends TLS for all traffic. Read more
Does Keycloak support Customer Managed Keys (BYOK) security feature?
Keycloak supports Customer Managed Keys (BYOK) security feature. Manage your own encryption keys via the deployment infrastructure.
Does Keycloak support Bot Detection security feature?
Keycloak partially supports Bot Detection security feature. Built-in Google reCAPTCHA support for registration flows (v2 and v3, including reCAPTCHA Enterprise). Login flow CAPTCHA requires a community extension. Third-party privacy-friendly CAPTCHA providers (Friendly Captcha, ALTCHA) are available via extensions. Read more
Does Keycloak support Brute Force Protection security feature?
Keycloak supports Brute Force Protection security feature. Read more
Does Keycloak support Suspicious IP Throttling security feature?
Keycloak partially supports Suspicious IP Throttling security feature. Brute force detection locks accounts per user after repeated failures. Native per-IP throttling across multiple accounts is not built-in; a reverse proxy or WAF is recommended for IP-level rate limiting. Read more
Does Keycloak support Breached Password Detection security feature?
Keycloak does not support Breached Password Detection security feature. No built-in HaveIBeenPwned integration. Community extensions are available (e.g. alvinbaena/keycloak-pwned-password-policy). Keycloak does support a password blacklist feature that can use the HIBP list. Read more
Does Keycloak support Credential Guard (Dark Web Monitoring) security feature?
Keycloak does not support Credential Guard (Dark Web Monitoring) security feature.
Does Keycloak support Tenant Access Control List (IP ACL) security feature?
Keycloak partially supports Tenant Access Control List (IP ACL) security feature. IP allow/deny lists are not built into the core Quarkus-based Keycloak distribution. This capability was removed from the legacy distribution. Per-realm IP filtering is available via deployment infrastructure (reverse proxy, WAF) or some managed Keycloak hosting providers. Read more
Does Keycloak support Device Fingerprinting security feature?
Keycloak does not support Device Fingerprinting security feature.
Does Keycloak support Per-Organization Branding multi-tenancy?
Keycloak supports Per-Organization Branding multi-tenancy. Per-realm (tenant) FreeMarker theming for custom branding. Read more
Does Keycloak support Per-Organization MFA Policy multi-tenancy?
Keycloak supports Per-Organization MFA Policy multi-tenancy. Per-realm MFA policies and authentication flows. Read more
Does Keycloak support Hosted / Universal Login Page branding feature?
Keycloak supports Hosted / Universal Login Page branding feature. Read more
Does Keycloak support Embedded / Native Login Components branding feature?
Keycloak partially supports Embedded / Native Login Components branding feature. Direct grant API allows credential-based flows for embedded auth. Hosted redirect flow is standard. Read more
Does Keycloak support White-Label / Full Brand Removal branding feature?
Keycloak supports White-Label / Full Brand Removal branding feature. Full FreeMarker theming enables complete brand customization. Read more
Does Keycloak support Localization / i18n branding feature?
Keycloak supports Localization / i18n branding feature. 20+ built-in language packs with custom translation support. Read more
Does Keycloak support Prebuilt UI Components (SDK) branding feature?
Keycloak supports Prebuilt UI Components (SDK) branding feature. Account Console and configurable Login theme served by Keycloak. Read more
Does Keycloak support Login / Auth Analytics Dashboard analytics?
Keycloak partially supports Login / Auth Analytics Dashboard analytics. Events API for login analytics. External dashboards (Grafana, ELK) recommended. Read more
Does Keycloak support GDPR: Data Export (Portability) compliance?
Keycloak supports GDPR: Data Export (Portability) compliance. Export user data via Admin REST API.
Does Keycloak support GDPR: Right to be Forgotten (User Deletion) compliance?
Keycloak supports GDPR: Right to be Forgotten (User Deletion) compliance. Delete user accounts and associated data via Admin REST API (DELETE /admin/realms/{realm}/users/{id}) or Admin Console. Read more
Does Keycloak support Consent Management compliance?
Keycloak supports Consent Management compliance. OAuth 2.0 consent screen and scope management built-in. Read more
Does Keycloak support Region Deployment compliance?
Keycloak supports Region Deployment compliance. Self-hosted deployment anywhere with cross-datacenter replication support. Read more
Does Keycloak support Private Cloud Deployment compliance?
Keycloak supports Private Cloud Deployment compliance. Self-host on AWS (EC2, EKS, ROSA), Azure (VMs, AKS), GCP, or any other cloud.
Does Keycloak support SDK Coverage developer integration?
Keycloak supports SDK Coverage developer integration. Keycloak adapters for Java (Spring Boot, Quarkus), JavaScript, Node.js, Go, Python, PHP. Keycloak SDKs via community. Read more
Does Keycloak support Management API developer integration?
Keycloak supports Management API developer integration. Read more
Does Keycloak support Authentication API Rate Limits developer integration?
Keycloak does not support Authentication API Rate Limits developer integration. No built-in IP-based rate limiting. Brute-force detection handles per-user lockout. External WAF or reverse proxy required for true rate limiting.
Does Keycloak support Actions / Extensibility Pipeline developer integration?
Keycloak supports Actions / Extensibility Pipeline developer integration. Full SPI extensibility: custom authenticators, identity providers, user federation, event listeners, token mappers, and more. Read more
Does Keycloak support TypeScript Support in Extensibility developer integration?
Keycloak does not support TypeScript Support in Extensibility developer integration. Keycloak SPIs are implemented in Java. No JavaScript/TypeScript runtime for extensibility.
Does Keycloak support Custom Domain developer integration?
Keycloak supports Custom Domain developer integration. Deploy on any custom domain via reverse proxy configuration.
Does Keycloak support Deploy CLI (Infrastructure as Code) developer integration?
Keycloak supports Deploy CLI (Infrastructure as Code) developer integration. kcadm.sh CLI for configuration management and CI/CD pipelines. Read more
Does Keycloak support Terraform Provider developer integration?
Keycloak partially supports Terraform Provider developer integration. Community-maintained Terraform provider: mrparkers/keycloak. Read more
Does Keycloak support Custom Database Connections developer integration?
Keycloak supports Custom Database Connections developer integration. User Storage SPI for connecting to any external user store. Read more
Does Keycloak support Native Webhook Support developer integration?
Keycloak supports Native Webhook Support developer integration. Event listener SPI supports custom HTTP webhooks for authentication events. Read more
Does Keycloak support Universal Login / Hosted Login Page Customization developer integration?
Keycloak supports Universal Login / Hosted Login Page Customization developer integration. Full FreeMarker templating for all login page customization. Read more
Does Keycloak support Custom Email Provider (SMTP) developer integration?
Keycloak supports Custom Email Provider (SMTP) developer integration. Configure custom SMTP server in realm settings. Read more
Does Keycloak support Email Templates developer integration?
Keycloak supports Email Templates developer integration. FreeMarker email templates for all transactional emails. Read more
Does Keycloak support Custom OIDC Claims / Token Enrichment developer integration?
Keycloak supports Custom OIDC Claims / Token Enrichment developer integration. Protocol mappers and scripted mappers for custom token claims. Read more
Does Keycloak support No-Code Auth Flow Builder / Orchestration feature?
Keycloak does not support No-Code Auth Flow Builder / Orchestration feature. Authentication flows are configured via the admin console but are not a visual drag-and-drop builder.
Does Keycloak support Identity Verification / Document Proofing feature?
Keycloak does not support Identity Verification / Document Proofing feature. No built-in identity proofing or document verification. Can be integrated via custom SPI or third-party identity verification services.
Does Keycloak support Decentralized / Verifiable Credentials feature?
Keycloak does not support Decentralized / Verifiable Credentials feature. No built-in support for decentralized identifiers (DIDs), verifiable credentials, or self-sovereign identity.
Does Keycloak support Built-in Billing / Subscription Management feature?
Keycloak does not support Built-in Billing / Subscription Management feature. Keycloak is an open-source IAM platform with no built-in billing or subscription management features.
Does Keycloak support Agentic AI / MCP Server Authentication feature?
Keycloak partially supports Agentic AI / MCP Server Authentication feature. Keycloak serves as an OAuth 2.1/OIDC authorization server for MCP (Model Context Protocol) servers. MCP spec 2025-03-26 is fully supported; MCP 2025-06-18 and later are partially supported (missing RFC 8707 Resource Indicators). OAuth Client ID Metadata Document support is experimental. Read more
Note: The current data is based on provider documentation/experience and may not be 100% accurate. Please open an issue if you have spotted any inconsistencies.