Back to blog|Identity

Authentik vs. Authelia vs. Keycloak 2026: The Ultimate SSO Comparison for Self-Hosters

May 7, 2026
Timo Wevelsiep
authhost

Authentik vs. Authelia vs. Keycloak 2026: The Ultimate SSO Comparison for Self-Hosters

Authentik, Authelia, and Keycloak head-to-head: architecture, features, resource usage, setup complexity, security, and use cases. For homelabs, SMBs, and enterprise.

authhost.de Blog

Content notice: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, pricing, versions, licensing models and external content are subject to change. Please verify the information independently, especially before making business-critical or security-relevant decisions. This article does not constitute individual professional, legal or tax advice.

Three open-source tools, three fundamentally different philosophies. Authelia is the lean auth gateway for reverse proxies – one container, 25 MB RAM, running in 2 minutes. Authentik is the modern, complete identity provider with visual flow engine and all major protocols – the self-hosted Okta alternative. Keycloak is the enterprise heavyweight from Red Hat – powerful, mature, but resource-hungry and complex. Which tool is right for your setup depends not on "better or worse" but on use case, team expertise, and scaling requirements.

Also worth reading: Authentik vs. Authelia 2026: Head-to-Head Comparison · Keycloak Alternative for SMBs

Quick Comparison: Three Identity Providers at a Glance

Criterion Authentik Authelia Keycloak
Type Full IdP Auth gateway Enterprise IAM
Language Python/Django + TS Go + React Java + Quarkus
OIDC/OAuth2 ✓ (certified)
SAML 2.0 ✓ Provider ✗ (roadmap) ✓ Provider + Broker
LDAP server ✓ (outpost) ✗ (backend only) ✓ Federation
SCIM ✓ (with extension)
Application proxy ✓ (forward auth)
Flow engine ✓ (visual) ✗ (Authentication Flows in YAML/code)
Multi-realm Single tenant + customers ✓ (realms)
Docker image ~336 MB ~25 MB ~253 MB
RAM (idle) ~150–200 MB ~25 MB ~1,250 MB+
License MIT Apache 2.0 Apache 2.0
First version 2018 2016 2014
GitHub stars ~21,400 ~27,700 ~34,300
Contributors 540+ ~290 12,000+ (CNCF ecosystem)
CNCF status Incubating (since April 2023)
Known CVEs 26 (5 critical, 13 high) 5 (0 critical, 1 high) 50+ (long history, broad scope)
Managed hosting ✓ (authhost) ✓ (multiple providers)

Table of Contents

Authelia: The Lean Auth Gateway

Market Position

Authelia (written in Go, since 2016) is not an identity provider in the classical sense – it's a forward-auth gateway that sits in front of a reverse proxy (Nginx, Traefik, Caddy, HAProxy) and enforces login + MFA before requests reach the actual application. In May 2025, Authelia became OpenID Certified.

Strengths

  • Extremely lightweight: Single binary, ~25 MB RAM, container ~25 MB
  • Fast setup: One container, one YAML file, productive in 2 minutes
  • Secure: Argon2 hashing default, only 5 GHSA advisories (1 high, 0 critical) in the entire project history
  • Forward-auth specialist: Seamless integration with all major reverse proxies
  • MFA methods: TOTP, WebAuthn/Passkeys, Duo Push, Email
  • Open Source: Apache 2.0, no vendor lock-in

Limitations

  • No SAML provider: Has been on the roadmap for years (Issue #493), as of May 2026 not implemented
  • No LDAP server: Authelia can use LDAP as backend for authentication but cannot provide an LDAP service
  • No SCIM provisioning: Manual onboarding/offboarding
  • No RADIUS: No network authentication for VPN/WiFi/switches
  • No application proxy: Apps without native SSO support cannot be secured
  • No graphical admin UI: Configuration only via YAML, no user management interface
  • No user self-service: End users cannot manage MFA themselves (besides password reset)

Ideal Use Cases

  • Homelabs with 3–10 web apps
  • Small self-hosting setups with Nginx/Traefik
  • Edge authentication in front of publicly exposed services
  • Setups where MFA enforcement is the main need

Authentik: The Modern Identity Provider

Market Position

Authentik (Python/Django + TypeScript frontend, since 2018) positions itself as the self-hosted Okta alternative: complete identity provider with all major protocols, a visual flow engine as a unique selling point, and a modern admin UI. Developed by Authentik Security, Inc. (Public Benefit Corporation since 2022, Open Core Ventures-backed) – with a commercial Enterprise Edition since 2024 (pricing update in early 2025). Current version: 2026.2.x.

Strengths

  • Complete protocol support: OIDC, OAuth2, SAML 2.0, LDAP, SCIM, RADIUS, Kerberos
  • Flow engine: Visually model authentication flows – stages, policies, providers via drag-and-drop, no code
  • Application proxy: SSO for applications that don't speak OIDC or SAML, without app modification
  • Modern admin dashboard: Clear, intuitive, suitable for non-technical admins
  • MFA variety: TOTP, WebAuthn/Passkeys, SMS, Email OTP, Mobile Push
  • Conditional access: GeoIP checks, impossible travel detection, device posture, reputation scoring
  • SCIM provisioning: Automatic on-/offboarding from HR systems
  • Open Source: MIT license for Community Edition, commercially usable

Limitations

  • Higher resource needs: ~250–350 MB RAM total stack (Authentik + PostgreSQL; no Redis since release 2025.10)
  • No native multi-realm: Tenants exist but not as deep as Keycloak realms
  • 26 reported GHSA advisories (5 critical, 13 high): more than Authelia, due to larger codebase and admin UI as attack surface
  • More complex initial setup: Multiple containers (server, worker, optional outposts), 15–20 min Docker Compose

Ideal Use Cases

  • SMBs with 20–500 employees and mixed application portfolio
  • Setups with legacy applications requiring application proxy
  • Customer-facing IdP integration
  • Companies with compliance requirements needing conditional access
  • Organizations focused on GDPR who don't want a US cloud IdP

Keycloak: The Enterprise Heavyweight

Market Position

Keycloak (Java + Quarkus, since 2014, originally from JBoss/Red Hat) is the oldest of the three projects and the only one in CNCF Incubating Status (since April 10, 2023). Actively maintained by Red Hat – the commercial version is "Red Hat build of Keycloak". Current version: 26.6.1 (April 2026).

Strengths

  • Greatest maturity and stability: Over 10 years of development, 12,000+ contributors in the CNCF ecosystem (LFX Insights; direct repo: ~1,800)
  • Multi-realm architecture: Multiple isolated identity worlds in one instance – ideal for multi-tenant SaaS
  • Native LDAP/AD federation: Deep integration with Active Directory
  • Identity brokering: Chaining multiple external IdPs as frontend for applications
  • Authorization Services: Fine-grained RBAC and Resource-Based Access Control (UMA 2.0)
  • Social login: Out-of-the-box integration with Google, Facebook, GitHub etc.
  • Theming and customization: Fully customizable
  • Red Hat support: Commercial enterprise support available
  • CNCF project: Strategically well-positioned for long-term stability

Limitations

  • High resource requirements: Per Red Hat documentation at least 1,250 MB RAM for base configuration with 10,000 cached sessions; in production typically 2–4 GB
  • CPU sizing: 1 vCPU per 15 password logins/second (Red Hat recommendation) plus 150% headroom
  • Steep learning curve: Realms, clients, roles, mappers, authentication flows in YAML/code – admin console considered overloaded
  • Java stack: JVM tuning (heap, garbage collector, MaxRAMPercentage) is part of daily operations
  • Risky updates: Major updates regularly bring breaking changes – familiar to many Keycloak admins
  • No native SCIM support: Only via extensions
  • Heavyweight container: ~253 MB image (with significantly higher RAM footprint at runtime)
  • Memory grows over time: Known behavior in long-running deployments (Issue #28211)

Ideal Use Cases

  • Large corporations with many subsidiaries (multi-realm)
  • B2B SaaS with complex tenant structures
  • Companies with deep Active Directory integration
  • Organizations needing identity brokering
  • Teams with existing Java and Red Hat expertise
  • KRITIS operators needing tier-1 support

Architecture Comparison

Authelia: Forward-Auth Layer

User ──► Reverse Proxy (Traefik/Nginx) ──► Authelia (auth check) ──► App
                                                  │
                                            MFA, Session, OIDC

Authelia decides per request whether the user can pass. The app behind the proxy knows nothing about the user – except what's passed via HTTP headers.

Authentik: Central Identity Platform

User ──► Authentik (Login, MFA, Flow Engine) ──► Token/Session
                    │
        ┌───────────┼───────────┬──────────────┐
        ▼           ▼           ▼              ▼
   OIDC App    SAML App    LDAP Device    Proxy App

Authentik is the central place where applications authenticate. Apps speak directly with Authentik via OIDC, SAML, LDAP, or application proxy.

Keycloak: Multi-Realm Federation

User ──► Keycloak Realm A ──► OIDC/SAML
              │
       LDAP/AD Federation     ┌── App 1 (Realm A)
              │              │
       Identity Brokering ────┼── App 2 (Realm B, own users)
              │              │
       Authorization Services └── External IdP (Google, Azure AD)

Keycloak manages multiple isolated identity worlds ("realms") in parallel. Each realm has its own users, groups, clients, and policies. Identity brokering chains external IdPs.

Resources and Performance

Memory and CPU Usage

Component Authelia Authentik Keycloak
Docker image ~25 MB ~336 MB ~253 MB
RAM (app, idle) ~25 MB ~150–200 MB ~1,250 MB
PostgreSQL ~100 MB (or SQLite) ~100–150 MB ~200 MB
Redis Optional Not needed (since release 2025.10) Optional (Infinispan)
RAM total (idle) ~125 MB ~250–350 MB ~1,450–2,000 MB+
CPU (idle) <1% 1–3% 3–8%
Recommended server 1 vCPU, 1 GB RAM 2 vCPU, 2 GB RAM 4 vCPU, 8 GB RAM

Source: Red Hat documentation for Keycloak sizing, Cerbos and elest.io for comparisons.

Scaling

  • Authelia: Horizontally scalable as stateless. All three tenant forms handled by reverse proxy setup
  • Authentik: Horizontally scalable via worker containers and outposts; shared state via PostgreSQL instead of Redis since release 2025.10
  • Keycloak: Cluster mode with Infinispan, designed for hundreds of pods – but memory grows over time, regular restarts recommended

Setup Complexity

Setup Time (from Docker Compose start to working login)

Tool Time Complexity
Authelia 2–10 minutes Low (1 container + YAML)
Authentik 15–20 minutes Medium (3–4 containers, admin UI setup)
Keycloak 30–60 minutes High (realms, clients, mappers, authentication flows)

Configuration Model

Authelia: YAML file. Every change requires reload/restart. No web UI for configuration.

Authentik: Configuration via web UI. Flows visually via drag-and-drop. Changes take effect immediately.

Keycloak: Configuration via admin console or admin CLI. Complex data model (realms → clients → mappers → authentication flows → policies). Steep learning curve.

Tooling

  • Authelia: Helm charts, Docker Compose, Kubernetes operator
  • Authentik: Docker Compose officially supported, Helm charts community-maintained
  • Keycloak: Official operator, Helm charts, Red Hat OpenShift templates

Security

CVE History

Tool CVEs (as of 2026) High/critical Main attack surface
Authelia 5 GHSA 1 high (0 critical) Auth bypass
Authentik 26 GHSA 18 (5 critical, 13 high) Admin UI, Flow Engine
Keycloak 50+ (long history) many Admin console, REST APIs, OIDC flows

The low Authelia number primarily results from the smaller attack surface – no admin UI, no multi-protocol stack, lean feature set (as of May 2026: zero criticals). Keycloak's 50+ CVEs span 10+ years and are comparable to other enterprise IAM solutions.

Hardening Recommendations

  • Authelia: Secure by default, Argon2 hashing default. Little to harden.
  • Authentik: Restrict admin UI via ACL, enable posture checks, encryption at rest for PostgreSQL.
  • Keycloak: JVM tuning, check realm isolation, audit SPI extensions, regular major update tests.

License and Community

License Models

  • Authelia: Apache 2.0 – pure community, no enterprise edition, 3 main maintainers in spare time
  • Authentik: MIT for Community Edition (content outside enterprise/), commercial Enterprise Edition since 2024 ($5/user/month + $0.02/external user; pricing update in early 2025) – developed by Authentik Security, Inc.
  • Keycloak: Apache 2.0, supported by Red Hat (commercial variant: Red Hat build of Keycloak), CNCF Incubating Project

Community Size (May 2026)

Tool GitHub Stars Contributors Active Maintainers
Authelia ~27,700 ~290 3 (spare time)
Authentik ~21,400 540+ Company (Authentik Security, Inc.)
Keycloak ~34,300 12,000+ (CNCF ecosystem; repo: ~1,800) Red Hat + CNCF

Decision Matrix

Choose Authelia when:

  • You run a homelab with 3–10 apps
  • Resources are tight (Raspberry Pi, mini-PC, NAS)
  • You only need login + MFA in front of a reverse proxy
  • You don't need a web UI for configuration
  • You're comfortable with YAML configuration

Choose Authentik when:

  • You have 20+ users and a mixed app portfolio
  • You need SAML 2.0 for Microsoft 365, Salesforce, or AWS SSO
  • You need an LDAP server for NAS, firewall, or network devices
  • You want SCIM provisioning for automatic on-/offboarding
  • You need application proxy for legacy apps without native SSO
  • You want a modern web UI for admins and end users
  • You need conditional access with GeoIP/impossible travel

Choose Keycloak when:

  • You need deep Active Directory integration
  • You manage multiple tenants with real realm separation
  • You use identity brokering with many external IdPs
  • You need Authorization Services / UMA 2.0
  • You have a Java team and Red Hat support
  • You're a KRITIS operator needing a tier-1 vendor
  • Memory and setup overhead are not obstacles

authhost: Managed Authentik Without Operations Overhead

If you want to run Authentik in production without worrying about updates, backups, monitoring, and scaling, use authhost:

  • Dedicated Authentik instance in 8 regions worldwide
  • Germany: ISO 27001 & BSI C5 certified data centers
  • Other regions: ISO 27001 & SOC 2 Type II
  • Flat-rate pricing from €34.90/month (annual), no per-user fees
  • Setup in minutes via the merkaio self-service portal

Try it now: merkaio self-service portal7 days free.

Conclusion

There is no "best" SSO tool – only the right one for your context.

Authelia is the rational choice for homelabs and small setups. Anyone coming from resource-conscious self-hosting will be well-served by Authelia in 90% of cases.

Authentik is the pragmatic choice for SMBs and growing companies. It offers 80% of Keycloak functionality with significantly lower complexity – and with the Flow Engine, even capabilities Keycloak doesn't have.

Keycloak is the strategic choice for enterprise setups with high complexity, multi-realm requirements, and Java expertise. It remains the gold standard for IAM in large corporations – with everything that comes with the learning curve and resource needs.

For most SMBs and self-hosters choosing between the three, Authentik is the sweet spot – and with authhost, operable even without DevOps overhead.

Recommended reading: Authentik vs. Authelia 2026: Head-to-Head Comparison · Keycloak Alternative for SMBs

Sources

Frequently Asked Questions

What's the fastest path to single sign-on for a self-hosting setup?
For pure login enforcement with MFA in front of a reverse proxy: Authelia. One container, ~25 MB RAM, running in 2 minutes. Once you need SAML, LDAP server, SCIM, or a graphical flow engine: Authentik. For complex enterprise IAM with multi-realm and identity brokering: Keycloak.
Which identity provider uses the least resources?
Authelia is by far the lightest: ~20–25 MB RAM, single Go binary. Authentik needs ~150–200 MB RAM (Python/Django + PostgreSQL; no Redis since release 2025.10). Keycloak requires at least 1,250 MB RAM for the base configuration per Red Hat documentation – in production typically 2–4 GB.
Which provider is best documented and most mature?
Keycloak is the oldest project (since 2014), developed by Red Hat, has been a CNCF Incubating Project since April 2023, and has ~34,000 GitHub Stars and over 12,000 contributors in the CNCF ecosystem (LFX Insights). Authelia (~27,700 stars) and Authentik (~21,400 stars) are younger but both stable and production-ready.
Which has the fewest security vulnerabilities?
Authelia has historically reported only 5 GHSA advisories (1 high, 0 critical) – primarily due to a smaller attack surface (no admin UI, lean feature set). Authentik has 26 GHSA advisories (5 critical, 13 high), Keycloak significantly more due to long history and broad scope. More features = more attack surface.
When should I choose Keycloak over Authentik?
When you need multi-realm architecture, deep LDAP federation with Active Directory, identity brokering with many external IdPs, or fine-grained Authorization Services. Also if your team already has Java expertise and you need Red Hat support.
When is Authelia enough and when do I need Authentik?
Authelia is enough when you only need login + MFA in front of a reverse proxy for a handful of web apps – typical for homelabs or small self-hosting setups. You need Authentik as soon as: SAML for Microsoft 365 or Salesforce, LDAP server for NAS/firewall, SCIM for automatic onboarding, application proxy for legacy apps, or a complete user management dashboard.
What is authhost?
authhost is Managed Authentik Hosting from merkaio. Dedicated instances hosted in 8 regions worldwide. Germany: ISO 27001 & BSI C5 certified data centers. Flat rate from €34.90/month, no per-user fees, no licensing overhead. You get full Authentik functionality without operational burden.
Can I switch between the tools later?
Yes, all three support OIDC/SAML as standard protocols, so applications remain compatible. But migration means: recreating or syncing users, reconfiguring applications, invalidating sessions. There are no official auto-migration tools between the three – but the authhost team supports planning.

Written by

Timo Wevelsiep

Founder, merkaio

Founder of merkaio. Managed Authentik Identity Hosting. Focus on identity management, SSO and zero trust architecture.

LinkedIn

Custom inquiry or consultation?

For enterprise inquiries, custom configurations or a personal consultation. Send us a short message – we'll get back to you within 24 hours.

Timo Wevelsiep

Your Contact

Timo Wevelsiep

Founder, merkaio

[email protected]

By submitting, you agree to our Privacy Policy.