Keycloak is the dominant open-source IAM platform — maintained by Red Hat, widely deployed, and the most feature-complete open-source identity solution available. Authentik is a newer alternative with a modern UI. Gluu Server provides another option with stronger SCIM support. For developer-focused CIAM, Ory provides an open-source identity infrastructure stack.
2 open source tools highlighted below, plus 13 more in this category.
Open source · Cloud / On-prem · Free trial
Keycloak is the dominant open-source IAM — full SSO, MFA, identity federation, and user management — but self-hosted operational burden is the primary cost that commercial alternatives eliminate.
Best for: Teams with Kubernetes/container expertise that want full-featured IAM without per-user licensing costs, especially in on-premises or regulated environments.
Per-user · Cloud · Free trial
miniOrange is a budget IAM provider offering SSO, MFA, and directory integration at significantly lower pricing than Okta — but capabilities, UX, and support quality reflect the price point.
Best for: Budget-conscious SMBs that need basic SSO, MFA, and directory integration without the per-user costs of Okta, Duo, or Entra ID.
These tools are part of the identity & access management systems category but may not match the open source filter above. Worth reviewing if the primary options don't fit.
Usage-based pricing · Cloud · Free trial
Auth0 (Okta-owned) is the developer-first identity platform — strongest for SaaS applications that need customer-facing authentication (CIAM) — but pricing spikes dramatically at scale.
Custom quote · Cloud
CyberArk Identity combines workforce IAM with the leading privileged access management (PAM) platform — the strongest choice when identity and privileged access need to converge.
Per-user · Cloud · Free trial
Cisco Duo is the most popular MFA solution — simplest push-based authentication for users and administrators — but its MFA-first, and full SSO and lifecycle features require higher-tier plans.
Per-user · Cloud · Free trial
Google Workspace provides identity management (SSO, MFA, directory) as part of its productivity suite — strongest for Google-first organizations — but IAM depth is limited compared to dedicated identity platforms.
Device-based · Cloud · Free trial
JumpCloud is positioned here as a endpoint management software option for teams comparing rollout fit, operating model, pricing structure, and how much administrative effort the product is likely to create after implementation.
Per-user · Cloud · Free trial
Microsoft Entra ID (formerly Azure AD) is the most cost-effective enterprise IAM for Microsoft-centric environments — included in M365 — but capabilities outside the Microsoft ecosystem lag behind Okta.
Per-user · Cloud · Free trial
Okta is the market leader in cloud identity — strongest SSO and lifecycle management for multi-cloud, multi-SaaS environments — but per-user pricing with add-on modules makes total cost hard to predict.
Custom quote · Cloud / On-prem
One Identity (Quest Software) covers IAM, IGA, and PAM in a single vendor portfolio — strongest for organizations that want to consolidate identity vendors — but integration between products can feel fragmented.
Per-user · Cloud · Free trial
OneLogin (now One Identity by Quest) offers competitive SSO and MFA at lower per-user pricing than Okta — but the Quest acquisition has slowed product development and created roadmap uncertainty.
Custom quote · Cloud · Free trial
PingOne (Ping Identity) is strongest for large enterprises with hybrid identity requirements — on-premises AD integration with cloud SSO — but complexity and pricing position it as an enterprise-only option.
Custom quote · Cloud
Rippling unifies HR, IT, and identity management — the only platform where hiring an employee automatically provisions their identity, apps, and devices — but its an HR platform with IAM, not an IAM platform.
Custom quote · Cloud
RSA ID Plus (formerly RSA SecurID) is a legacy MFA platform repositioning toward modern identity — strongest for existing RSA SecurID customers — but new buyers have better options.
Custom quote · Cloud
SailPoint is the leader in identity governance and administration (IGA) — access certification, role mining, and compliance — but its focused on governance, not operational IAM like Okta or Entra ID.
Keycloak for workforce IAM (SSO, MFA, federation) — largest community, Red Hat backing, most documentation. Authentik for modern UI and Kubernetes-native deployment. Ory for developer-focused CIAM with microservice architecture. Gluu for SCIM provisioning depth.
Yes — Keycloak runs in production at banks, government agencies, and large enterprises. High availability requires PostgreSQL clustering and Keycloak clustering (Infinispan). Budget 0.5-1 FTE for administration. Red Hat Build of Keycloak adds vendor support.
Keycloak: 0.5-1 FTE for administration, plus infrastructure (Kubernetes, PostgreSQL, load balancer). Compare against Okta at $2-8/user/month. At 500+ users, self-hosted Keycloak is cheaper in licensing but comparable in total cost when you factor in admin time.
