Perimattic
Keycloak logo
DevToolsFrom $29/app/month

Managed Keycloak Hosting

Identity and access management

What is Keycloak on ManageStacks?

Keycloak on ManageStacks is the self-hosted, open-source Keycloak IAM (from Red Hat) deployed to your own AWS, Azure, or GCP region — priced flat at $29 per instance per month regardless of user count, with SSO via OpenID Connect + SAML, MFA, LDAP/AD federation, social login, and fine-grained authorisation. Materially cheaper than Auth0 or Okta once you're past 1,000 monthly active users, and identity data (users, tokens, sessions) stays in your cloud region.

Keycloak on ManageStacks is the self-hosted, open-source Keycloak IAM (from Red Hat) deployed to your own AWS, Azure, or GCP region — priced flat at $29 per instance per month regardless of user count, with SSO via OpenID Connect + SAML, MFA, LDAP/AD federation, social login, and fine-grained authorisation. Materially cheaper than Auth0 or Okta once you're past 1,000 monthly active users, and identity data (users, tokens, sessions) stays in your cloud region.

About Keycloak

What Keycloak does, and why teams deploy it.

Keycloak is the open-source identity and access management platform originally built by Red Hat and now under the CNCF. It provides single sign-on (SSO), identity brokering, social login, LDAP/Active Directory federation, multi-factor authentication, and fine-grained authorisation for modern applications and services.

Keycloak supports the standard identity protocols — OpenID Connect, OAuth 2.0, SAML 2.0 — and can act as both an identity provider and an identity broker (aggregating multiple upstream IdPs into one interface for your apps). Its admin console handles users, roles, clients (applications), realms (tenants), themes, and authentication flows. Custom flows via JavaScript authenticators, custom user storage providers via SPIs, and extensive theming let you match Keycloak to any product's brand and auth semantics.

Running Keycloak in production means running the Quarkus-based Keycloak binary on a JVM, a Postgres or MariaDB database for realm data, correct JVM heap sizing, HA clustering with Infinispan for session replication, an ingress with sticky sessions (or session offloading), and SSL. Add version-upgrade discipline (Keycloak's migration between 15 → 20 → 25 involved real schema changes) and you've built a small identity platform team. ManageStacks handles it.

DIY vs ManageStacks

What running Keycloak yourself looks like — and what it looks like with us.

DIY self-hosting

  • Provision a JVM box, install Keycloak (Quarkus) + Postgres, tune heap and connection pooling by hand
  • Configure SSL, DNS, and sticky-session ingress separately
  • Build HA yourself — multiple replicas + Infinispan clustering + shared Postgres + session-affinity LB
  • Test major-version upgrades in staging; run Liquibase migrations on a realm-DB clone; hunt theme breakage
  • Deploy custom themes and SPI JARs manually; rebuild the image every change

On ManageStacks

  • Subscribe through your AWS, Azure, or GCP marketplace
  • Keycloak comes up on Quarkus with Postgres, JVM heap tuned, SSL, and monitoring provisioned
  • HA-mode with Infinispan session replication available on Business+ plans out of the box
  • New Keycloak versions arrive as one-click updates after we validate the migration on your realm clone
  • Custom themes and SPI extensions deploy from Git on Business plans

Keycloak on ManageStacks — key numbers

Unlimited MAU

Flat pricing regardless of monthly active users

$29/mo

Standard tier; HA + Infinispan on Business+

OIDC + SAML

Full protocol coverage plus identity brokering

MFA + WebAuthn

TOTP, WebAuthn/passkeys, SMS, email OTP all included

Key features

Everything Keycloak ships with, running on our stack.

  • SSO via OpenID Connect, OAuth 2.0, and SAML 2.0
  • Identity brokering — aggregate Google, Microsoft, GitHub, Facebook, custom OIDC/SAML IdPs
  • User federation with LDAP and Active Directory (read-write sync)
  • Fine-grained authorisation with policies, permissions, and scopes
  • Multi-factor authentication: TOTP, WebAuthn/passkeys, SMS, email OTP
  • Multi-realm architecture — one Keycloak, many tenants
  • Customisable login themes, email templates, and authentication flows
  • User self-service: registration, forgot password, account console, sessions
  • Custom Java + JavaScript authenticators via SPI extensions
  • Full data export — realm JSON, user database, event log on demand
How it deploys

From subscribe to live in minutes.

1

Subscribe

Subscribe to ManageStacks through your AWS, Azure, or GCP marketplace.

2

Provision

Keycloak spins up on Quarkus with Postgres, tuned JVM heap, SSL, and Grafana monitoring — typically 3-5 minutes.

3

Configure realm

Create your first realm (tenant), add clients (applications), configure IdPs (LDAP/AD, Google, Microsoft, custom), and set up authentication flows.

4

Integrate apps

Point your applications at the Keycloak endpoint via OIDC or SAML. Users log in through Keycloak; token issuance and MFA all handled.

Who this is for

Built for teams that want Keycloak to just work.

SaaS products past the Auth0 free tier

You've hit the MAU cliff on Auth0 or Okta and don't want to pay per-user forever. Keycloak on ManageStacks is flat-priced OIDC + SAML with the same protocol surface — migration is a one-time realm export/import.

B2B multi-tenant apps

You need identity brokering — each customer brings their own SAML or OIDC IdP, and you need one login surface. Keycloak's realm-per-tenant model + identity brokering handles this natively.

Regulated industries (financial, healthcare, gov)

You need identity infrastructure in your own cloud region with full audit trails and data residency. Auth0's SaaS-in-vendor-cloud model is a non-starter; Keycloak on ManageStacks in your VPC is the alternative.

Compliance & compatibility

What we handle, what Keycloak runs on.

Compliance & operations

  • Automated SSL/TLS via Let's Encrypt with custom-domain support
  • Daily encrypted Postgres backups stored in a separate region
  • Point-in-time recovery within the retention window
  • OS-level and Keycloak security patches applied during your maintenance window
  • GDPR data-residency — user data stays in your chosen cloud region
  • Event log (login, admin, user actions) with configurable retention for audit

Compatibility

Version
Latest Keycloak stable on Quarkus (25.x+) validated before release
Runtime
Keycloak on Quarkus (JVM 17+) on containerised infrastructure
Dependencies
PostgreSQL 15, Infinispan for HA session replication
Min. resources
1 vCPU / 2 GB RAM (dedicated); more for HA setups
How ManageStacks helps

We handle the parts you shouldn't be writing yourself.

ManageStacks deploys Keycloak with its Postgres backing database, optimised Quarkus + JVM settings, and automated SSL. We handle HA clustering with Infinispan session replication, database backups, custom theme + extension deployment, and version upgrades so your applications have a reliable, tenant-owned identity provider that scales past Auth0 pricing without vendor lock-in.

How it compares

Keycloak on ManageStacks vs the alternatives.

How Keycloak on ManageStacks compares to the two dominant identity-as-a-service vendors and running Keycloak yourself.

Comparison of Keycloak on ManageStacks against publicly-documented alternatives across deployment model, data residency, pricing basis, custom domain support, open-source status, and data export.
PropertyKeycloak on ManageStacksUsAuth0Okta Customer IdentitySelf-hosted Keycloak
DeploymentManaged on your AWS, Azure, or GCPVendor-hostedVendor-hostedYou provision + operate
Data residencyYour cloud regionVendor infrastructure (region choice)Vendor infrastructureYour cloud region
Pricing basisFlat per instancePer monthly active user (MAU)Per MAU (customer identity SKU)Your compute cost
MAU limitUnlimitedMetered by tierMetered by tierUnlimited
Open sourceYes (Apache 2.0)No (proprietary)No (proprietary)Yes (Apache 2.0)
Identity brokeringNative (LDAP/AD/OIDC/SAML)Included on paid tiersIncludedNative (LDAP/AD/OIDC/SAML)

Comparison focuses on architectural properties (deployment model, pricing basis, open-source status) that don't change with vendor pricing pages. Verify current pricing on each vendor's own site.

FAQ

Common questions about Keycloak on ManageStacks.

How long does it take to deploy Keycloak on ManageStacks?
Under 5 minutes for the platform. ManageStacks provisions Keycloak on the Quarkus runtime with a Postgres backing DB, optimised JVM heap, SSL, monitoring, and backups automatically. First realm + first client (application) setup is another 10-20 minutes through the admin console.
How does this compare to Auth0 or Okta?
Auth0 and Okta are priced per monthly active user (MAU) — free/cheap under 1,000 MAU, then it scales fast (typically $23-140+ per 1,000 MAU depending on features). ManageStacks Keycloak is a flat $29 per instance regardless of MAU. For SaaS products beyond ~1,000-2,000 MAU, self-hosted Keycloak on ManageStacks is materially cheaper — often 10-30x by 10,000 MAU. Auth0 and Okta are worth it if you specifically want their fraud detection, universal login UX, or vendor-managed compliance stance. Otherwise Keycloak is the same protocol set (OIDC + SAML) at flat pricing.
Can I connect Keycloak to my existing LDAP or Active Directory?
Yes. Keycloak's user federation supports LDAP and Active Directory in read-only, read-write, and one-way sync modes. Users can log in with their existing corporate credentials; group/role mappings sync into Keycloak. Configure through the admin console after deployment.
Does ManageStacks handle Keycloak version upgrades?
Yes. Keycloak major-version upgrades involve database schema migrations (Liquibase-managed) and occasional API/theme changes. We test each release, run migrations on a clone of your realm database, and coordinate the cutover. Zero-downtime upgrades on HA plans (rolling update across replicas).
Is Keycloak safe for production identity at scale?
Yes. On Business+ plans we deploy Keycloak in HA mode — multiple replicas with Infinispan-based session replication behind a load balancer. This handles thousands of authentication requests per second and survives replica failures without user re-login. Postgres replica + PITR keeps the realm data safe.
Can I use custom themes and authentication flows?
Yes. Custom themes (login page, email templates, account console) install through the standard Keycloak theme directory and persist across updates. Custom authenticators (Java or JavaScript SPI implementations) install as JARs. Business+ plans support private Git-based theme + extension deployment.
Does Keycloak support passkeys / WebAuthn?
Yes. WebAuthn is a first-class second factor in Keycloak — users can register passkeys (platform authenticators like Touch ID/Windows Hello) or roaming authenticators (YubiKey). Set WebAuthn as required, optional, or an alternative to TOTP through the authentication flow.
What if I want to move off ManageStacks?
Full realm export as JSON (users + roles + clients + IdPs + flows) via the admin console or CLI; full Postgres dump for the underlying schema. Keycloak is Apache-licensed and portable. Import into any Keycloak deployment. Migration off is a supported operation.

Deploy Keycloak in under 5 minutes.

Subscribe through your AWS, Azure, or GCP marketplace. We handle provisioning, SSL, monitoring, backups, updates, and security. From $29/app/month.