It's on my list of things that assumes out of the box that you know waaaaaay more about dozens of details than you actually are likely to unless you've already used it for 10 years. To the point that I don't even know what the benefit of using it vs. other options is at all.
I can’t understand your first sentence even after reading it ten times. Maybe it is too long for me.
To the second sentence: I don’t know what the benefit is either but in some environments you are not able to use any cloud provider or other external service to realize the auth layer so you are stuck with things like keycloak. Hope this thread discusses some other solutions which you can self host.
Which is extra funny when Keycloak is sticking to jargon out of RFCs that nobody else in the SaaS identity space is using. Hooking up Keycloak to a SAML consumer that only documents SaaS configuration is a fun game of try until it works most of the time.
I know the two main competitors that have been adopted by the self hosted community are authentik and authelia, they’re both somewhat under developed for enterprise but at the same time still difficult to grasp for non-full time devOps people. At least in my opinion.
I use authentik for self hosted - it's great but still too powerful and configurable for me or most people who are not auth experts to customise. Just creating a password reset flow requires integrating a dozen moving parts. The only explanation how to do it is a yaml file or a YouTube tutorial.
Setting up basic forward auth or OIDC was super easy though.
use cases that require _everything_ "on-premise" are often government/military, big healthcare, or just huge enterprises that want to control everything (and can afford a team that only runs their auth service).
I mentioned Ory above but you get both options - either as a managed service or run on your own infra
Yep, this is why I have been evaluating it recently. Have a customer that wants SAML 2.0 support, others that want LDAP support, 2FA support, and multi-tenancy support, while being something we can self-host. The other main suggestions I have seen - ORY or Zitadel - tend to be missing at least one of those (from what I can tell).
Keycloak looks like a big complicated monster, so I would prefer to stay away except that it looks like I will be required to have all that complexity to support all the use-cases we are looking at.
As far as I can tell, Zitadel cannot be used as a SAML client, only as a provider. One of my requirements is that we use customer-provided (and controlled) SAML for SSO. Otherwise it was looking very promising.
