Need advice about which tool to choose?Ask the StackShare community!
Keycloak vs sso: What are the differences?
Introduction
In this article, we will explore the key differences between Keycloak and SSO (Single Sign-On).
User Authentication and Authorization: Keycloak is an open-source identity and access management solution that provides comprehensive user authentication and authorization services. It allows organizations to secure their applications and services by managing user identities, roles, and permissions. SSO, on the other hand, is a concept that enables users to log in once and be authenticated across multiple applications or systems. While Keycloak offers SSO functionality along with additional features, SSO can be implemented using various protocols and frameworks without the need for a dedicated identity and access management system.
Customization and Extensibility: Keycloak provides a highly customizable and extensible platform for managing user identities and integrating with various authentication and authorization mechanisms. It offers fine-grained control over user registration, password policies, and user attribute management. SSO solutions, on the other hand, may have limited customization options and may require additional development efforts to integrate with existing systems or applications.
Integration with External Identity Providers: Keycloak allows seamless integration with popular external identity providers such as social media platforms (e.g., Google, Facebook) and enterprise identity providers (e.g., Active Directory, LDAP). It supports various identity protocols like OpenID Connect, SAML, and OAuth2 for federated authentication and single sign-on. SSO solutions may also support integration with external identity providers but may have limitations in terms of supported protocols or customization options.
Multi-factor Authentication: Keycloak provides built-in support for multi-factor authentication (MFA) options such as one-time passwords (OTP), biometrics, and email verification. It allows organizations to enforce additional security measures for user authentication. SSO solutions may support MFA, but the availability and customization options may vary depending on the specific implementation.
Administration and User Management: Keycloak provides a comprehensive administration console for managing users, roles, permissions, and client applications. It offers features like user self-registration, password reset, and user attribute management. SSO solutions may have limited administration and user management capabilities, focusing primarily on authentication and SSO functionality.
Scalability and High Availability: Keycloak supports horizontal scalability and high availability through clustering and load balancing. It can be deployed in a distributed architecture to handle high user loads and ensure high availability of authentication and authorization services. SSO solutions may also support scalability and high availability, but the specific implementation may vary depending on the chosen framework or protocol.
In summary, Keycloak is a feature-rich identity and access management system that provides extensive authentication, authorization, and user management capabilities, along with SSO functionality. SSO, on the other hand, is a concept that enables users to log in once and access multiple applications without the need for repeated authentication.
I am working on building a platform in my company that will provide a single sign on to all of the internal products to the customer. To do that we need to build an Authorisation server to comply with the OIDC protocol. Earlier we had built the Auth server using the Spring Security OAuth project but since in Spring Security 5.x it is no longer supported we are planning to get over with it as well. Below are the 2 options that I was considering to replace the Spring Auth Server. 1. Keycloak 2. Okta 3. Auth0 Please advise which one to use.
It isn't clear if beside the AuthZ requirement you had others, but given the scenario you described my suggestion would for you to go with Keycloak. First of all because you have already an onpremise IdP and with Keycloak you could maintain that setup (if privacy is a concern). Another important point is configuration and customization: I would assume with Spring OAuth you might have had some custom logic around authentication, this can be easily reconfigured in Keycloak by leveraging SPI (https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi). Finally AuthZ as a functionality is well developed, based on standard protocols and extensible on Keycloak (https://www.keycloak.org/docs/latest/authorization_services/)
You can also use Keycloak as an Identity Broker, which enables you to handle authentication on many different identity providers of your customers. With this setup, you are able to perform authorization tasks centralized.
We have good experience using Keycloak for SSO with OIDC with our Spring Boot based applications. It's free, easy to install and configure, extensible - so I recommend it.
Pros of Keycloak
- It's a open source solution33
- Supports multiple identity provider24
- OpenID and SAML support17
- Easy customisation12
- JSON web token10
- Maintained by devs at Redhat6
Pros of sso
Sign up to add or upvote prosMake informed product decisions
Cons of Keycloak
- Okta7
- Poor client side documentation6
- Lack of Code examples for client side5
