Gluu Blog

Follow us:
Back to Blog

Gluu versus Keycloak

Mike S. May 4, 2018

    From time to time we are asked how Gluu compares to other open source identity & access management (IAM) products. Keycloak is coming up more and more these days, so it’s expedient to simply publish our thoughts.

    Open source checklist

    At Gluu we define an open source product as four things: code, binaries, docs, and support. Here are our thoughts relative to Keycloak:

  1. Source code – Both Gluu and Keycloak release source code under a FOSS license.
  2. Versioned binaries – Keycloak releases .zip files, but no .rpm or .deb packages. Gluu releases versioned packages for all major operating systems including Ubuntu, Debian, Centos and RHEL.
  3. Documentation – Both Keycloak and Gluu publish publicly comprehensive documentation.
  4. Community Support – Keycloak has a mailing list, IRC, and a JIRA. Gluu offers a support portal where our engineers have helped troubleshoot thousands of community support requests.

2FA flexibility

At the time of writing, Keycloak is limited to using Google Authenticator or FreeOTP for two-factor authentication (2FA).

Gluu ships with support for many 2FA options, including FIDO, OTP, our own push-notification mobile app, Super Gluu, certificates and more. In addition, Gluu can be extended to support custom authenticators and logic using custom authentication interception scripts.

SCIM support

Gluu supports System for Cross-domain Identity Management (“SCIM”), an open standard for provisioning and de-provisioning identity data in cloud-based applications and services. When coupled with OAuth 2.0, OpenID Connect, SAML, and FIDO, this stack offers a powerful and modern solution for IAM.

Keycloak does not currently support SCIM.

UMA 2.0 support

Gluu has been an early adopter of the User Managed Access (“UMA”) profile of OAuth 2.0. We see UMA as an important standard for enterprise access management. At the time of writing, Gluu is the only vendor with software for all three UMA components: Authorization Server (token endpoint and authorization endpoint), Client, and Resource Server.

Keycloak implements the Authorization Server token endpoint, but does not currently support the authorization endpoint or have UMA Client or Resource Server software.


Keycloak ships with its own embedded Java-based relational database called H2, which, according to the docs, “only exists so that you can run the authentication server out of the box. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either.”

Gluu ships with the Gluu OpenDJ LDAP server, a production ready persistence mechanism. Out of the box Gluu can be clustered to handle large user populations and high concurrency situations. The performance of any IAM service is heavily dependent on its underlying database. By focusing on specific technologies, Gluu engineers can offer customers more hands on support and guidance for achieving their desired performance objectives.

EOL concerns

Ultimately, one of our concerns is that Red Hat could end-of-life (EOL) Keycloak. It has happened in the past with good products like Penrose, the open source virtual directory server. When the profit derived from a product like Keycloak is insignificant, it can have an adverse effect on a company’s long term commitment to the project.

IAM products are hard to support… will Red Hat scale support for Keycloak? Does IAM become more of a liability then a profit opportunity? There can be misalignment between return on equity–Red Hat’s duty to shareholders–and the best interest of the community. Sometimes writing great software is the best thing for investors. Sometimes pulling the plug is better.

The Gluu Server is our flagship product and where the majority or our resources are invested. We have a long term vision of the market and commitment to the product and business.


At Gluu, our goal is to deliver the most innovative, flexible, and scalable IAM platform with the lowest total cost of ownership. So far we think our focus on innovation and easy deployment has delivered more features and a better platform.

That said, rarely is there a one-size-fits-all solution for technology problems. IAM is a horizontal market, and both Gluu and Keycloak are contributing to the open source ecosystem.

The right platform depends on many factors, both business and technical. For some organization’s it’s Gluu. For others it’s something else. The only way to determine what’s right for your organization is to roll up your sleeves and test your options!

Feedback welcome!

If Red Hat, the Keycloak team, or any community members have feedback about the opinions presented here, just tweet @gluufederation, or leave comments here!

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.