Comparing Keycloak vs. Bare.ID — the Keycloak Alternative

Red Hat's Keycloak IAM open source framework is an established market standard for IAM with single sign-on. It basically includes authorization for web applications, mobile applications, and REST services. For this purpose, Keycloak offers central basic functions such as login, logout, self-registration and multi-factor authentication. Single sign-on supports standard protocols such as OAuth2, OpenID Connect, SAML, and Kerberos.

Since it is always an advantage in the area of IT security to access established standards and open source libraries whenever possible, Keycloak is a promising choice for companies as a basis for their own systems. However, the operation and patch management of security software is an enormous challenge, especially for SMEs, as in practice there is often a lack of know-how, IT personnel and infrastructure to set up, securely operate and further develop such systems with Keycloak.

Nevertheless, Keycloak is a renowned option and experience has shown that it basically offers all the necessary standard functionalities for an IAM solution. However, there is a lack of framework conditions and functionalities for long-term productive use — particularly with regard to compliance and ITSM requirements. As an alternative to running Keycloak itself, the Bare.ID SaaS solution was developed. Bare.ID uses Keycloak at its core. This means that customers benefit from the keycloak functionalities of the open source framework as well as from other numerous features. All Keycloak settings can be easily managed via a user-friendly Bare.id admin interface. Third-party systems are connected with just a few clicks and security is increased through integrated, diverse multi-factor authentication solutions. The included all-round service with detailed advice, quick setup, fail-safe hosting and continuous maintenance and development of the cloud service makes Bare.id a carefree, reliable and privacy-compliant identity and access management (IAM) solution from a single source. How Bare.id and Keycloak differ in detail is explained in more detail in the following sections.

What differentiates Bare.ID from Keycloak?

Hosting & operation

As a SaaS product, Bare.ID offers a managed keycloak instead of a self-hosted keycloak in-house. Bare.id hosts exclusively in, multiple redundant and even KRITIS compliant georedundant. SaaS operation also means short-term patch management, meaning that the latest Keycloak version is always used. Bare.ID implements an ITSM in accordance with ISO27001. The individual code around the keycloak core and the migration work are taken over by the SaaS provider, while in the case of a self-hosted keycloak, each code has to be migrated laboriously and manually, which experience often causes operational problems.

IT security, data protection and compliance

Companies in European, especially German-speaking regions, are subject to strict GDPR guidelines and industry-specific regulations. GDPR-compliant use is only possible if technical measures ensure that personal data either only leaves the EU in encrypted form or that other organizational measures prevent the evaluation of it. In the case of logins and identity management, however, this is almost impossible, as in order to log in or manage the identity, it must be available in plain language with the provider hosted in the third country. With hosting, operation and development exclusively in and from Germany, Bare.ID offers a standardized GDPR-compliant cloud service.

In terms of IT security, Bare.ID also offers other audit functionalities that are not included in the standard Keycloak scope. Bare.ID's supporting infrastructure displays various metrics on a dashboard, such as user access to applications and failed login attempts. With the help of this data, weaknesses and vulnerabilities can be identified, security checks carried out, and compliance with regulations can be checked.

Security functionalities

The security functionalities offered by Keycloak and extended by Bare.ID are of great importance for access management. Access management to various applications and thus the authorized use of them can be limited in advance with Bare.ID Role-Based Application Access. While in the standard Keycloak, in principle, all users can access all applications and the access decision is only made by the application itself, Bare.ID offers the option to restrict access directly during login. Users can decide in advance which users can access which applications. Bare.ID therefore controls access to the application during login, and it is not only the application itself that must prevent access for the corresponding users.

Keycloak and Bare.ID offer the option of flexibly configuring password policies as a supplementary security measure. Preconfigured rules such as letter and number combinations and the comparison with “Have I been Pwned”, but also detailed configuration, such as the precise detailed configuration of PBKDF2 password hashing, are already available preconfigured in the Bare.ID admin interface and can be activated with one click. This allows you to adapt your Bare.ID instance in detail to your requirements and security policy. In addition, brute-force rules can be activated and defined with a click to ward off attacks by trying out many passwords.

Advanced MFA variants

With regard to user login, Keycloak provides a good basis for implementing extended 2-factor authentications. The security and functionality requirements of multi-factor authentication are variable and demand-dependent, which is why many procedures are possible. Bare.ID supports, among other things, one-time passwords (OTP), facial recognition and fingerprint sensors, hardware tokens and other components in accordance with FIDO2/WebAuthn standards. Bare.ID also enables mobile phone or Windows-based multi-factor authentication “Secure Login to Web Services” from secunet Security Networks AG for passwordless authentication, which meets all current legal security requirements, complies with BSI guidelines and is a leading provider on the German market in this environment - without integration costs and can be activated with one click.

Application Gallery

Another differentiation between Keycloak and Bare.ID is user authentication to applications and services. In order to set up authentication on Keycloak and not on individual applications, all necessary applications and services are implemented individually in the standard Keycloak. Bare.ID, on the other hand, simplifies this process a lot via the application gallery with preconfigured applications included in the Bare.ID admin interface. With just a few clicks, which include the fields name, description, base URL, redirection URL and optional access restriction as standard, the application is connected within a very short time. If users are missing an application from the overview, it can be added quickly and free of charge by the Bare.ID development team on request.

White-label theme

The Keycloak standard theme, i.e. the user interface of the login and email templates, does not initially offer users any customization options. In order not to reduce emails to users and the login mask to pure text templates and the login to text field with Keycloak logo, this requires a great deal of in-house development. Experience has shown that Custom Keycloak projects are one of the biggest costs to get Keycloak SSO up and running. In order to avoid this effort and meet the needs of users right from the start, Bare.ID offers white label templates for the Bare.ID user interface, emails as well as SMS and their senders. Customers can easily configure the look and content according to their own corporate design requirements and decide for themselves whether it is clear where and who is hosting the login.

Support

As already mentioned, Keycloak does not offer dedicated support as open source, the options here are limited only to US community support or support via a Red Hat SSO license, which, however, does not offer any developers to assist and is worse in terms of price/performance ratio than a Bare.ID annual license. As a SaaS provider, Bare.ID offers regularly available support and implementation assistance from an experienced team of developers. As a German company, same-language support is also offered at appropriate business hours and 24/7 in emergencies.

conclusion

In addition to the effort of in-house operation, implementation and update management, the Keycloak software provides a reliable and reliable basis for managing user access in principle. In the SME sector in particular, the focus is on SaaS Bare.ID as a ready-to-use and complete IAM solution in compliance with all necessary security and data protection requirements.

The Bare.ID team of experts has experience at your side and will be happy to advise you on how our solution can fit into your IT environment. Simply arrange a non-binding consultation via our contact form and our team will get back to you as soon as possible.

‍