Tesseral
Back to Guides

Keycloak alternative: Tesseral is open source auth for B2B SaaS

Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral

Introduction

We often hear from people that are looking for Keycloak alternatives. For the most part, they're looking for something modern, easy to use, and open source to power auth for their SaaS applications.

TLDR: if you need modern, open source auth tooling for a SaaS application, you will likely find Tesseral to be a good fit!

What is Keycloak, anyway?

What Keycloak looks like now

Keycloak is an established open source identity and access management application. When I say it's established, I really mean it. The GitHub has almost 30,000 stars and about 1,400 unique contributors.

Keycloak does an awful lot of stuff! Here are a few highlights:

  • You can use Keycloak to proxy your connections into SAML or OIDC enterprise identity providers.
  • You can use Keycloak to federate your users by hooking into LDAP directories.
  • You can use Keycloak as a centralized authorization server, e.g., as a Java Policy Enforcement Point.

You don't need to know what any of that means. The point is that Keycloak is extremely powerful software. For pretty much any use case you can think of, it's pretty likely that someone has made Keycloak work.

Lots of big companies use Keycloak successfully. You can check out Hitachi's case study as an example. Other big companies that have used (or currently use) Keycloak include AT&T, Cisco, and Bosch.

Who maintains Keycloak?

Keycloak started as a project run by Red Hat back in 2014. It's now managed by the Cloud Native Computing Foundation, which is part of the Linux Foundation.

You can best develop a feel for the community by participating in GitHub discussions. There are usually a few posts that are active on any given day.

Why do people look for Keycloak alternatives?

Complexity

Remember how I mentioned that Keycloak is really powerful? I meant that.

Keycloak gets to be powerful because it's unopinionated and extremely complex. In many cases, people like Keycloak because it invites endless customization. There are lots of metaphorical knobs and dials you can play with! It's kind of like the cockpit of the Concorde jet, a feat of engineering but nonetheless an overwhelming experience:

concorde-jet

A lot of people don't need -- or want -- something that's so flexible. Most people are making pretty vanilla software, and they often appreciate opinionated defaults. Lots of people are looking for an elegant, guided experience that funnels them into a 'pit of success.' Sometimes you just want painted lanes that help you get from Point A to Point B.

painted lanes

This is especially true for those developers who don't know the jargon (e.g., SAML, JIT, JWT, RBAC, ReBAC...)! If you're not sure what you need, you're just not going to have a good time with Keycloak.

To borrow from a Hacker News comment:

To echo everyone else: the Keycloak documentation does not do a good job of hand-holding you at all, and the number of possible ways you can configure and use the system and the amount of jargon and terminology used is massively overwhelming to someone trying to get started. It would be very helpful to have some "white paper"-esque summaries that walk you through some simple, typical use-cases.

I looked through the docs quickly before making this post and as an example here's a basic task for initial setup ("hook up an IDP", basically giving keycloak its database of users), and it's utterly incomprehensible to any human being who doesn't already know how to work the system and really essentially worthless even then.

Maintenance

Keycloak isn't always a trivial thing to maintain. Although this isn't indicative of everyone's experience, it's certainly true that some people have a really hard time managing Keycloak in the long run.

Here's a Reddit comment that lends a little more context:

I am using it for 4 years already, since the version 12 on WildFly (big corporate enterprise, usages in both external and internal SSO). It is annoying to setup, upgrade and manage in Docker/k8s, and at every stage it is very rigid to debug on top of being not quite performant (latest version on Quarkus are better). The import and export tools are terrible, and the docs keep changing with every iteration too much to keep up with. Plus it is not quite easy to setup it in k8s in production mode with an ELB. I would go with Cognito User Pools or Okta (to avoid vendor-locking) if I was to start over.

And the response to that comment expresses a similar experience:

To add - maintaining new versions is PITA. There is a tight coupling between Keycloak server version and client library versions. We have one Keycloak instance serving multiple frontend apps. Upgrading KC version requires updating all the frontend apps. This means involving and coordinating multiple teams and god forbid any of those apps are abandonware...

I don't mean to suggest Keycloak is a bad tool. It's just a really complex piece of software. You should just know what you're signing up for. You will probably not be a happy camper if you're hoping never to think about auth again.

Old-school feel

To some users, the software feels ... old. One Hacker News commenter wrote, "I knew I could smell Java when I went to their website..."

Now, this is clearly a subjective complaint. There's nothing intrinsically wrong with old software. I mean, Postgres has been around for ages, and most people seem reasonably happy with it.

But even still, if you're accustomed to contemporary, startup-y tools (e.g., if you're a company that uses Linear instead of Jira), you're probably going to find things a bit jarring.

Keycloak alternative: Tesseral

What is Tesseral?

Tesseral is open source auth infrastructure for B2B SaaS. Designed to minimize complexity, Tesseral gives you all of the features you need to manage customer identity at any scale: from built-in UI to SAML and SCIM integrations to managed API keys.

What are the advantages and disadvantages of Tesseral as a Keycloak alternative?

Advantages of Tesseral over Keycloak

Tesseral is much simpler. It takes a lot less effort to set up (only a few lines of code), and it requires almost no effort to maintain -- after all, you can use the managed cloud service or set up a dedicated cloud tenant.

Moreover, Tesseral is explicitly designed for use with business software (i.e., SaaS). It more naturally supports the features that your enterprise customers will need. For example, Keycloak doesn't support SCIM provisioning.

Disadvantages of Tesseral vs. Keycloak

Simply put, Tesseral is more opinionated software. Tesseral doesn't support the vast expanse of functionality that Keycloak can support. For example, Tesseral doesn't work very well for consumer software (e.g., social media, consumer fintech apps). Similarly, you can't really use Tesseral as a corporate identity provider to manage your employees' access to different software applications.

About the Author
Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral
Ned is the cofounder and CEO of Tesseral. Previously he worked at Gem and the Boston Consulting Group. He writes about product design, identity, and access management. You can often find him at Baker Beach in San Francisco with his puppy, Fred.
Resources
Pricing
Docs
Blog
Security
Compare
Tesseral vs. Auth0
Tesseral vs. WorkOS
Tesseral vs. Clerk
Company
Terms of Use
Privacy Policy
Contact us
Schedule a Call
Social
GitHub
LinkedIn
X (Twitter)