Keycloak
Keycloak
Keycloak is an open-source Identity & Access Management (IAM) platform. It replaces Azure Active Directory / Microsoft Entra ID and provides Single Sign-On (SSO) for all business applications — hosted on your own servers, with no dependency on Microsoft.
What does Keycloak replace?
| Microsoft Product | Keycloak Equivalent |
|---|---|
| Azure Active Directory (Entra ID) | Keycloak Realm |
| Azure SSO | Keycloak SSO (OIDC / SAML) |
| Azure MFA | Keycloak OTP / WebAuthn |
| Azure AD Groups | Keycloak Groups & Roles |
Core features
Single Sign-On (SSO)
One central login for all applications: Nextcloud, ONLYOFFICE, Element, Gitea, Odoo, Rocket.Chat and any other OIDC- or SAML-compatible application. Employees log in once — all services are then accessible without re-entering passwords.
Multi-factor authentication
Keycloak supports TOTP (Google Authenticator, Aegis), WebAuthn (YubiKey, FIDO2 hardware keys) and SMS OTP. MFA can be enforced for individual applications, user groups or all users.
User management
Centralised management of all users, groups and permissions in one interface. New employees are created once and immediately have access to all applications. When they leave, a single deactivation blocks all access simultaneously.
LDAP / Active Directory integration
Existing Active Directory directories can be synchronised into Keycloak — a seamless migration path with no data loss.
Integration
Keycloak connects with virtually any modern application:
- Nextcloud — Keycloak as OIDC provider
- Matrix/Element — SSO via OIDC
- ONLYOFFICE — SSO via SAML 2.0
- Gitea, Forgejo — OIDC login
- Grafana, Portainer — OIDC login
- Proxmox — LDAP / OIDC
Operation and hosting
Keycloak runs as a Docker container on a small Hetzner server:
# Keycloak with Docker Compose
services:
keycloak:
image: quay.io/keycloak/keycloak:latest
environment:
KC_DB: postgres
command: start
System requirements
| Users | RAM | CPU |
|---|---|---|
| ≤100 | 2 GB | 1 vCPU |
| ≤500 | 4 GB | 2 vCPU |
| >500 | 8 GB | 4 vCPU |
Keycloak can run on the same server as Nextcloud — for small teams (≤25 users) a CX21 at Hetzner (€5.83/month) is sufficient.
Migration from Azure AD
- Set up a Keycloak instance and configure the Realm
- Export users from Active Directory / Azure AD and import them
- Migrate applications to Keycloak SSO one by one (Nextcloud → Element → others)
- Enable MFA enforcement
- Cancel Azure AD licences
Tip: When migrating from Azure AD, we recommend running Keycloak in parallel with Azure AD initially. Applications are migrated step by step — so an issue with one app has no impact on other services.
Next: Matrix/Element →