Keycloak vs. Bare.ID comparison - the Keycloak alternative

The IAM open source framework Keycloak from RedHat is the established standard on the market for IAM with single sign-on. It basically covers authorization for web applications, mobile applications and REST services. For this, Keycloak offers central basic functions such as login, logout, self-registration and also multi-factor authentication. The single sign-on supports standard protocols such as OAuth2, OpenID-Connect, SAML and Kerberos.

Since it is always advantageous in IT security to use established standards and open source libraries whenever possible, Keycloak is a promising choice for companies as a basis for their own systems. However, the operation and patch management of security software is an enormous challenge, especially for SMEs, because in practice there is often a lack of know-how, IT personnel and infrastructure to set up, securely operate and further develop such systems with Keycloak.

Nevertheless, Keycloak is a renowned option and experience shows that it basically offers all the necessary standard functionalities for an IAM solution. However, for long-term productive use, some framework conditions and functionalities are missing - especially with regard to compliance and ITSM requirements. As an alternative to running Keycloak in-house, the SaaS solution Bare.ID was developed. Bare.ID uses Keycloak at its core. This means that customers benefit from the Keycloak functionalities of the open source framework and equally from additional numerous features. All Keycloak settings can be easily managed via Bare.ID's user-friendly admin interface. Third-party systems are connected with just a few clicks and security is enhanced by the integrated, multifaceted multi-factor authentication solutions. The included all-round service with detailed consulting, fast setup, fail-safe hosting and continuous maintenance and further development of the cloud service, makes Bare.ID a worry-free, reliable and data protection-compliant identity and access management (IAM) solution from a single source. How Bare.ID and Keycloak differ in detail is explained in more detail in the following sections.

What differentiates Bare.ID from Keycloak?

Hosting & Operation

As a SaaS product, Bare.ID offers a managed Keycloak instead of a self-hosted Keycloak. In doing so, Bare.ID hosts exclusively in, multiple redundant and even KRITIS regulation compliant geo-redundant. SaaS operation also means short-term patch management, so the latest Keycloak version is always used. Bare.ID implements an ITSM according to ISO27001. The individual code around the Keycloak core and the migration work are handled by the SaaS provider, whereas in the case of a self-hosted Keycloak, each code has to be migrated manually and at great expense, which experience has shown often causes operational problems.

IT security, data protection and compliance

Companies in the European, specifically German-speaking area are subject to strict GDPR guidelines and industry-specific regulations. GDPR-compliant use is only possible if technical measures ensure that personal data either only leaves the EU in encrypted form or other organizational measures prevent it from being evaluated. In the case of logins and identity management, however, this is almost impossible, since in order to perform a login or manage the identity, it must be available in plain text at the provider hosted in the third country. With hosting, operation and development exclusively in and from Germany, Bare.ID offers a standardized GDPR-compliant cloud service.

In terms of IT security, Bare.ID also offers additional audit functionalities that are not included in the Keycloak standard scope. Bare.ID's supporting infrastructure displays various metrics on a dashboard, such as user access to applications and failed login attempts. This data can be used to identify vulnerabilities and susceptibilities, perform security controls, and verify compliance.

Security functionalities

The security functionalities offered by Keycloak and extended by Bare.ID are of great importance for access management. Access management to various applications and thus their authorized use can be limited in advance with Bare.ID Role-Based Application Access. While in the standard Keycloak basically all users can access all applications and the access decision lies with the applications themselves, Bare.ID offers the option to restrict access directly during login. Users can decide in advance which users are allowed to access which applications. Thus, Bare.ID controls access to the application during login, and the application itself does not have to prevent access for the respective users.

Keycloak and Bare.ID offer the possibility to flexibly configure password policies as a complementary security measure. Preconfigured rules such as letter and number combinations and "Have I been Pwned" matching, but also detailed configuration, such as the precise detailed configuration of PBKDF2 password hashing, are already available pre-configured in the Bare.ID admin interface and can be activated with one click. This allows you to customize your Bare.ID instance in detail to your requirements and security policy. Additionally, brute force rules can be activated and defined with one click to prevent attacks by trying many passwords.

Advanced MFA variants

With regard to user login, Keycloak provides a good basis for implementing advanced 2-factor authentication. The security and functionality requirements of multi-factor authentications are variable and need-based, so many methods are possible. Bare.ID supports One-Time Passwords (OTP), facial recognition and fingerprint sensors, hardware tokens and other components according to FIDO2/WebAuthN standards, among others. Bare.ID also enables the cell phone or Windows-based multi-factor authentication "Secure Login to Web Services" from secunet Security Networks AG for passwordless authentication, which meets all current legal security requirements, complies with BSI guidelines and is the leading provider on the German market in this environment - without any integration effort and can be activated with one click.

Application Gallery

Another differentiation between Keycloak and Bare.ID is user authentication to applications and services. In order to set up authentication to Keycloak and not to individual applications, all the necessary applications and services are implemented individually in the standard Keycloak. In contrast, Bare.ID simplifies this process by using the application gallery with preconfigured applications included in the Bare.ID admin interface. With a few clicks, which by default include the fields name, description, base URL, forwarding URL and optionally access restriction, the application is connected in no time. If users are missing an application in the overview, it can be added quickly and free of charge by the Bare.ID development team on request.

White label theme

The Keycloak standard theme, i.e. the user interface of the login as well as e-mail templates, initially offers no customization options for users. In order not to reduce the e-mails to users as well as the login mask to pure text templates as well as the login to text field with Keycloak logo, a high effort of self-development arises at this point at first. Experience shows that custom Keycloak projects are one of the biggest cost items to get Keycloak SSO up and running. To avoid this effort and to meet the needs of the users from the beginning, Bare.ID offers white label templates for the Bare.ID user interface, emails as well as SMS and their senders. Customers can easily configure the appearance and content according to their own corporate design specifications and decide for themselves whether it is visible where and who hosts the login.

Support

As open source, Keycloak does not offer dedicated support, as already mentioned. The options here are limited to US community support or support via a Red Hat SSO license, which, however, does not offer any developers for support and comes off worse in terms of price-performance ratio than a Bare.ID annual license. As a SaaS provider, Bare.ID offers regularly available support as well as implementation assistance from an experienced team of developers. As a German company, it also offers support in the same language during appropriate business hours and 24/7 in emergencies.

Conclusion

Apart from the effort of in-house operation, implementation and update management, the Keycloak software offers a reliable and resilient basis for basically managing user access. Especially in the SME sector, the SaaS Bare.ID stands out from the cost-benefit perspective as a ready-to-use and complete IAM solution in compliance with all necessary security and data protection requirements.

The Bare.ID expert team is at your side with experience and will be happy to advise you on how our solution can fit into your IT environment. Simply make a non-binding consultation appointment via our contact form and our team will get in touch with you as soon as possible.