Skip to content

Instantly share code, notes, and snippets.

@calmh

calmh/sso-notes.md

Created May 14, 2025 09:01
Show Gist options
  • Save calmh/d820cb24bee6fbeac87801947c7882c5 to your computer and use it in GitHub Desktop.
Save calmh/d820cb24bee6fbeac87801947c7882c5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sso-notes.md

SSO Refresh

Keycloak vs Authentik

Existing user import

I wrote a custom LDAP server that returns the current set of users from Azure AD B2C. This works for both Authentik and Keycloak to ingest the current user base (minus passwords).

In Authentik we can run the import once, then disable user syncing and retain the users in the database. On first login Authentik does a bind towards the LDAP server to verify the password, then writes the password back to the local user, thus completing their migration.

Keycloak doesn't store the password locally when the user is set as an LDAP user and disabling the LDAP integration disables the user. There is however a possibility of using a custom REST service to do the password migration instead, though I didn't write this yet.

Other directory federation (customer SSO)

Broadly similar. The configuration in Keycloak is nicer as it has real support for "organisations" that you tie to auth sources and email domains. In Authentik this requires manual redirect to each source based on the email domain using a lookup in a Python expression policy, but it's doable. In both cases a local user is created which can hold the permissions strings etc.

Intangibles/miscellaneous

  • Authentik has the nicer (customer-facing) UI
  • Keycloak feels faster (as a user logging in), Authentik has more spinning wheels along the way
  • Resource utilisation is about even between the two (500 MB RAM per instance)
  • Keycloak has nicer admin lockdown, in that only certain user-facing paths need to be exposed to the internet while keeping admin resources behind Tailscale. Authentik doesn't differentiate and recommends just using 2FA and being happy.
  • API for user management seems broadly similar between the two (new implementation required for Authentik)
  • Support for newer auth tech like Passkeys and WebAuthn seems nicer in Authentik but I didn't look to closely yet
  • Authentik requires more clicking around in the GUI to accomplish things, and it's unclear how/where it's all stored, but the customisation possibilities are greater (writing Python inline for policies and mappers while Keycloak requires Java plugins)
  • Upgrades are scary in either setup (no downgrade supported, requires disaster recovery to roll back)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment