Keycloak: The Reference Architecture for Enterprise Identity & Access Management (IAM)

TL;DR

Identity is the new perimeter. Outsourcing login and user management to SaaS services like Auth0 or AWS Cognito initially offers convenience but leads to a double trap: exponentially increasing costs with growing user numbers (pay-per-MAU) and limited customizability. Keycloak is the industry standard to regain this sovereignty. It offers a complete, open-source-based IAM solution that scales indefinitely, connects with any existing directory (AD/LDAP), and does not charge a ’tax’ per active user.

1. The Architectural Principle: Identity Brokering & Federation

SaaS solutions often want to be the only database for your users. In reality, identities are everywhere: in the company’s Active Directory, in social media accounts (Google/GitHub), or in partner databases.

Keycloak acts as an Identity Broker.

• Single Sign-On (SSO): Your application trusts only Keycloak. Keycloak, in turn, trusts many other sources.
• Federation: A user logs in. Keycloak checks: “Is the user in the local LDAP? No? Then I’ll check with Google.” For the application, this complex process is transparent. It always receives a standardized token (JWT).

2. Core Feature: Unlimited Customization (SPI)

What happens if you need a login flow that is not standard? For example: “After the password, the user must accept terms and conditions, but only if they are from Germany, and then receive an SMS via a local provider.”

With AWS Cognito, you hit hard limits (limited Lambda triggers).

Keycloak offers Service Provider Interfaces (SPI).

Since Keycloak is based on Java, you can write your own plugins for almost any component (authentication, user storage, protocols). You can extend the core logic of the server without forking the source code. This makes Keycloak the most flexible IAM solution on the market.

3. Scaling Without Cost Trap (The MAU Trap)

The business model of Auth0 and Okta is based on Monthly Active Users (MAU).

For a B2B startup with 500 users, this is affordable. For a B2C platform or a shop with 1 million occasional users, this model becomes ruinous. Costs explode linearly with success.

Keycloak does not know MAUs.

Whether you manage 100 or 1,000,000 users, it does not change the license (since it is open source). You only pay for the infrastructure (CPU/RAM) in the cluster. Since login processes are very efficient, you can manage millions of users on modest hardware. The marginal costs per user approach zero.

4. Operating Models Compared: Auth0/Cognito vs. ayedo Managed Keycloak

Here it is decided whether your IAM is a cost driver or a strategic asset.

Scenario A: Auth0 / AWS Cognito (The Golden Cage)

The entry point (“Time to Hello World”) is extremely fast, but the lock-in is deep.

• Vendor Lock-in: Try exporting your users including passwords from Cognito. It doesn’t work (hashes are often not exportable). You cannot switch providers without all users having to reset their passwords.
• Blackbox Uptime: If the US provider is down (or suspends your account due to “suspicious activity”), your business comes to a halt. You have no access to the logs or the database.
• Data Retention: User data is often stored in US data centers, making GDPR compliance complex (Schrems II).

Scenario B: Keycloak with Managed Kubernetes by ayedo

In the ayedo App Catalog, Keycloak is the IAM engine for professionals.

• Data Sovereignty: The database (PostgreSQL) is in your cluster. You have access to everything. An export is possible at any time via SQL dump.
• Theming: Keycloak allows full control over the HTML/CSS of the login page (FreeMarker Templates). It looks exactly like your corporate identity, not like a generic mask.
• High Availability: Keycloak uses Infinispan for distributed caching. In the ayedo stack, this is configured so that sessions are replicated across multiple pods. If a node fails, the user does not have to log in again.

Technical Comparison of Operating Models

FAQ: Keycloak & IAM Strategy

Keycloak vs. Authentik: What is the difference?

Both are top tools in the ayedo catalog. Keycloak (Java) is the established “enterprise tanker.” It has more features for legacy integrations (Kerberos, User Federation) and is the standard in corporations. Authentik (Python/Go) is more modern, lighter, and often more intuitive to configure (“Flows”).

Rule of thumb: Do you need deep LDAP integration, SPI extensions, or certification? Choose Keycloak. Do you want a modern, fast solution for Kubernetes apps? Check out Authentik.

Is Keycloak difficult to operate?

Historically: Yes. Java applications with Infinispan clustering are complex to tune. This is exactly the value of Managed Keycloak at ayedo. We deliver a pre-configured, Kubernetes-optimized instance (based on the modern Quarkus distribution) that starts quickly and runs stably without you having to be a Java expert.

Can I use my existing Active Directory users?

Yes, this is Keycloak’s showcase discipline. With “User Federation,” you can connect your AD or LDAP. Keycloak does not necessarily synchronize users but can directly verify passwords against the AD. This enables a seamless transition from on-premise to cloud.

Does Keycloak support social login?

Yes. Google, Facebook, GitHub, Microsoft, LinkedIn – almost every relevant provider is supported out-of-the-box. You only need the client IDs of the respective service.

Conclusion

Identity is too important to rent. Those who rely on SaaS IAM exchange short-term convenience for long-term dependency and high costs. Keycloak is the answer for companies that want to grow without being penalized “per user.” It is powerful, sovereign, and the global standard for open-source IAM. With the ayedo Managed Stack, you get this enterprise power without the operational pain of Java management – scalable, secure, and under your control.