Custom IAM doesn’t have to be expensive: A practical guide to comparing managed Keycloak service providers

As digital products scale, identity and access management (IAM) quietly becomes one of the most expensive and strategically sensitive parts of the technology stack. What starts as a basic login feature evolves into a critical platform layer, governing access for employees, partners, and customers across applications, regions, and compliance boundaries.

For many growing companies, SaaS IAM platforms such as Okta or Auth0 appear to be the safe default. They are easy to adopt, well-documented, and widely trusted. However, their pricing models introduce a structural challenge: IAM costs scale directly with user growth.

In practice, SaaS IAM deployments for 10,000 users often reach $50,000-$200,000+ per year, once MFA, advanced policies, and enterprise SLAs are included. At higher scales, this spending increases predictably – but not always sustainably.

This guide explains why those costs escalate, how Keycloak changes the pricing equation, and how to compare managed Keycloak service providers using a practical, CTO-friendly framework.

How SaaS IAM and Keycloak differ

IAM platforms generally follow one of two economic models, and understanding this difference is essential before comparing prices.

SaaS IAM: licensing-centered

SaaS IAM platforms monetize identity through licenses:

• Per-user, per-employee, or per-MAU pricing
• Feature access gated by subscription tier
• Vendor-managed infrastructure
• Limited flexibility beyond platform constraints

This approach optimizes for speed and simplicity. IAM becomes a subscription service, abstracted away from infrastructure concerns. The trade-off is that IAM remains a variable cost, tightly coupled to growth.

Keycloak: architecture-centered

Keycloak follows a fundamentally different model:

• Open-source, enterprise-grade IAM
• No per-user or per-authentication licensing
• Standards-based protocols (OIDC, OAuth2, SAML, LDAP)
• Full ownership of identity architecture

Here, IAM behaves like infrastructure. Costs are driven by architecture and operations, not by how many users authenticate.

What “managed Keycloak” actually means

Adopting Keycloak does not mean building and operating IAM alone.

A managed Keycloak provider typically:

• Designs and operates production-grade Keycloak clusters
• Implements high availability, backups, and disaster recovery
• Handles upgrades, patching, and monitoring
• Supports federation, MFA, and custom authentication flows
• Provides SLAs and enterprise-grade support

For executives, this shift in IAM from unpredictable licensing to a controlled infrastructure investment is beneficial. For engineering teams, it preserves flexibility while avoiding vendor lock-in.

Understanding IAM pricing models: a decision snapshot

Before comparing specific vendors or price lists, it helps to understand what is actually being compared: a license-driven SaaS IAM, where cost scales with usage, and an architecture-driven managed Keycloak, where cost is tied to operational complexity.

This framing helps determine when a deeper, provider-level comparison is worth the effort – and when it likely isn’t.

Once the difference between these models is clear, the next step is to look at traditional SaaS IAM pricing. However, it’s worth mentioning that vendor pricing pages typically present per-user or MAU-based rates (that can change frequently), but the real cost emerges only as features, scale, and availability requirements are layered on.

Okta

• Workforce Identity: $3-15 per user/month
• Customer Identity (CIAM): $0.05-0.23 per MAU
• Advanced security and compliance require higher tiers
• Costs scale linearly with users

Auth0

• Free tier: up to 7,000 MAU
• Essentials: $35/month + MAU fees
• Professional: $240/month + MAU fees
• Scaling costs can be unpredictable for consumer workloads

Microsoft Entra ID

• Free tier with limited features
• P1: $6/user/month
• P2: $9/user/month
• Strong fit for Microsoft-centric environments

Cost examples at scale:

• 50,000 workforce users on Okta: ~$150,000-$750,000/year
• 50,000 MAU on Auth0: ~$30,000-$100,000/year

At scale, IAM shifts from a tooling decision to a recurring budget risk. Structural cost drivers include:

• Linear per-user or MAU pricing
• Feature gating for MFA, policies, and audit logs
• Vendor-controlled infrastructure margins
• Penalties for authentication spikes and seasonal growth

As IAM becomes central to customer experience, these costs compound.

How managed Keycloak pricing works

What do these prices actually cover? Any meaningful cost comparison has to start with how identity systems are actually operated in production. Managed Keycloak providers do not price identity as a unit of consumption – such as users, logins, or MAU. They price the architecture and operational footprint required to keep IAM reliable, secure, and available over time.

This approach reflects how IAM behaves in real systems. Authentication traffic is uneven, security requirements are strict, and availability expectations are high. The work involved in operating IAM depends far more on architectural choices and operational guarantees than on how many users exist in a database at a given moment.

For that reason, managed Keycloak pricing is driven by what needs to be built, monitored, and maintained, rather than by usage counters.

Architecture-based pricing: what costs are tied to

Most managed Keycloak providers base pricing on a small number of structural factors that determine operational complexity.

Infrastructure complexity

High availability is an architectural decision, not a toggle. A single-node setup, a multi-node cluster across availability zones, and a multi-region deployment all require different levels of redundancy, monitoring, and operational readiness. Disaster recovery requirements further increase the scope of what must be tested and maintained. Pricing reflects these differences because they directly affect ongoing effort.

Feature scope

Core authentication is usually straightforward. Complexity increases as additional capabilities are introduced, including:

• multi-factor authentication with conditional or step-up rules
• passwordless login using WebAuthn or magic links
• adaptive policies based on device, network, or risk signals
• identity brokering across multiple external IdPs
• custom authenticators or event listeners tied to business logic

Each of these features expands the IAM surface area. Over time, this increases the effort required to test upgrades, validate behavior across edge cases, and diagnose production issues when authentication paths diverge.

Integration requirements

IAM rarely operates in isolation. Integrations with LDAP, Active Directory, SAP, legacy SAML providers, or multiple external identity providers create long-lived dependencies. Each integration must remain compatible across Keycloak upgrades and security patches, which adds operational responsibility over time.

SLA tier

Availability guarantees materially change how IAM is run. A higher SLA implies tighter monitoring, faster detection, defined response times, and a staffed on-call process. These requirements affect how teams are organized and how incidents are handled, which is why SLA levels are a pricing dimension.

Support model

Business-hours support and continuous on-call coverage are not interchangeable. Dedicated engineers, escalation paths, and response-time commitments all influence cost, particularly in environments where IAM downtime has a direct business impact.

Why are there no per-user or MAU fees

Keycloak itself does not impose licensing limits on users or authentications. Once a production-grade architecture is in place, adding users rarely changes the operational workload in a meaningful way.

In most cases, user growth:

• does not introduce new infrastructure requirements,
• does not increase operational complexity,
• does not require renegotiation of contracts.

As long as the system was designed for the expected scale, growth primarily affects data volume, not operational effort. This allows managed providers to keep pricing stable as user counts increase.

This differs from SaaS IAM models, where cost is explicitly tied to usage metrics, regardless of whether that usage materially changes how the system is operated.

When architecture-based pricing is a good fit

Architecture-based pricing works best in environments where identity usage grows faster than operational complexity.

It is typically a strong fit when:

• user counts are already in the tens of thousands and expected to grow,
• authentication traffic is uneven or event-driven,
• IAM is customer-facing and tied directly to revenue,
• non-standard authentication or federation is required,
• cost predictability matters over multi-year horizons.

It is less compelling when user volumes are small, requirements are static, and speed of adoption outweighs long-term cost structure.

Ultimately, managed Keycloak pricing removes the direct link between user growth and cost. This makes IAM spending easier to forecast and less sensitive to product success.

Costs are shaped by architectural decisions rather than licensing tiers. Features are enabled because they are needed, not because they unlock a higher plan. For systems with large or unpredictable user bases – such as consumer platforms, marketplaces, or B2B products with many external users – this model tends to align more closely with how IAM risk and effort actually scale.

Additionally, understanding responsibility boundaries helps avoid painful surprises.

Managed Keycloak provider landscape

The managed Keycloak ecosystem is relatively small compared to mainstream SaaS IAM, but it spans several distinct provider types. Understanding these categories helps narrow the field quickly before moving into deeper technical or commercial evaluation.

Rather than ranking providers, the overview below focuses on how each typically positions itself and where it tends to fit best.

Consulting and managed services

TYMIQ

TYMIQ focuses narrowly on Keycloak-based IAM as a core discipline, combining consulting, architecture design, implementation, and long-term support. This model is best suited for organizations with complex IAM requirements, migrations from Okta or Auth0, or long-lived systems where identity architecture is tightly coupled to business logic and compliance.

Inteca

Inteca positions Keycloak within a broader enterprise integration and identity consulting portfolio. Their approach typically appeals to organizations that already work with Inteca on identity or integration initiatives and want managed Keycloak as part of a larger IAM program.

Phase Two

Phase Two offers managed Keycloak with an emphasis on productized services and extensions, particularly for SaaS and multi-tenant use cases. Their offering is often attractive to teams looking for managed hosting plus ready-made Keycloak add-ons rather than deep custom consulting.

Enterprise support

Red Hat (Red Hat build of Keycloak)

Red Hat provides enterprise support for its supported Keycloak distribution, focusing on lifecycle guarantees, patching, and vendor-backed stability. This option is typically chosen by large enterprises that already rely on Red Hat subscriptions and prefer a traditional enterprise support model over managed operations.

Hosting and managed services

Skycloak

Skycloak positions itself primarily as a managed hosting provider for Keycloak, emphasizing availability and SLA-backed infrastructure. This model can work well for teams with relatively standard Keycloak setups that want to offload infrastructure operations.

Cloud-IAM

Cloud-IAM offers managed Keycloak with a focus on compliance-aware environments and predefined service tiers. Their approach is often oriented toward organizations seeking structured plans rather than highly customized IAM architectures.

Elestio

Elestio provides managed Keycloak as part of a broader catalog of managed open-source services. This option fits teams that want a quick start with managed infrastructure and are comfortable handling most IAM design decisions internally.

Servana

Servana appears to position Keycloak within a general managed services offering. As with many hosting-first providers, it is important to clarify the depth of Keycloak-specific expertise and the scope of operational responsibility during evaluation.

Cloud marketplace solutions

Solodev (AWS Marketplace)

Solodev offers Keycloak through cloud marketplace distribution, which can simplify procurement and billing for AWS-centric organizations. Marketplace offerings are typically best evaluated for ease of deployment rather than deep IAM customization.

How to compare managed Keycloak providers

Once you move beyond high-level pricing, the real differences between managed Keycloak providers become operational. Most offerings look similar on a landing page, but diverge sharply when evaluated against real-world IAM requirements: upgrades, integrations, incident response, and long-term ownership.

Thus, a practical comparison should focus less on what is advertised and more on what the provider is prepared to operate over time. Let’s review a few key evaluation angles.

Depth of Keycloak expertise (not just hosting)

Not all managed providers treat Keycloak as a core competency. Some focus primarily on infrastructure and offer Keycloak as one of many hosted services. Others specialize in IAM and work with Keycloak at the architectural level.

The distinction matters when:

• Custom authentication flows are required

For example, implementing step-up authentication only for specific user segments, combining passwordless login with conditional MFA, or enforcing country- or device-based access rules that go beyond default Keycloak flows.

• Federation logic becomes complex

For example, brokering identities between multiple external IdPs (Azure AD, on-prem AD, partner SAML providers) while applying different role mappings, claim transformations, or trust rules per provider.

• Upgrades introduce breaking changes

For example, Keycloak version upgrades that modify authentication flow behavior, deprecate SPI interfaces used by custom extensions, or change token structure in ways that impact downstream services.

• Migration from another IAM platform is involved

For example, moving from Auth0 or Okta while preserving existing user identities, passwords, sessions, and MFA enrollments without forcing a global logout or password reset.

Providers with deep Keycloak expertise tend to anticipate these challenges and design around them. Hosting-first providers often escalate such cases as “out of scope.”

Customization and extension capabilities

Keycloak’s real power lies in its extensibility. Custom authenticators, identity providers, themes, event listeners, and policy logic are common in non-trivial deployments.

When evaluating a provider, clarify:

• whether custom extensions are supported in production
• how they are tested during upgrades
• who owns their long-term maintenance

A provider that discourages customization may be suitable for simple use cases – but will become a constraint as IAM requirements evolve.

SLA clarity and incident response

SLAs are not interchangeable. A “99.9% uptime” claim is only meaningful when paired with:

• clear definitions of downtime
• response and resolution times
• escalation paths and on-call coverage

Equally important is incident handling. Ask how incidents are detected, communicated, and resolved – and what role your team is expected to play during an outage.

Security and compliance posture

IAM sits at the security perimeter, which means operational controls matter as much as features.

A credible provider should be able to explain:

• patch cadence and CVE handling
• audit logging and retention options
• encryption and key management practices
• tenant isolation and access controls

Upgrade policy and version management

Keycloak evolves quickly, and upgrades are not optional. Providers should have a documented approach covering:

• supported versions
• upgrade frequency
• testing and validation process
• rollback strategy

A weak upgrade policy is one of the most common sources of IAM instability in production.

Migration and exit options

IAM is a long-term commitment, and no provider relationship lasts forever. Evaluate:

• how the realm configuration is stored and exported
• whether custom extensions are portable
• how migrations are handled in practice

Clear exit paths reduce risk and improve negotiation leverage over time.

Common mistakes teams make (practice-proven insights)

Even experienced teams tend to underestimate IAM operational complexity. The following mistakes appear frequently in real projects, so the TYMIQ team experts highlighted some of the most common ones and provided recommendations on how to proceed in each case.

1. Treating “managed” as “hands-off”

Many teams assume that “managed” means the provider owns everything. In reality, responsibility boundaries vary significantly.

Mitigation tip: Define ownership upfront for upgrades, incident response, disaster recovery testing, and change approvals, and document it contractually.

2. Choosing hosting-first providers for integration-heavy IAM

Hosting-oriented providers work well for simple deployments, but struggle when IAM must integrate with enterprise directories, legacy systems, or multiple external IdPs.

Mitigation tip: Validate the provider’s experience with real AD, LDAP, and SAML integrations, not just OIDC demos.

3. Ignoring upgrade and version-drift risk

Keycloak upgrades can introduce behavioral changes. Teams that delay upgrades often accumulate technical debt that becomes painful to unwind.

Mitigation tip: Require a documented upgrade policy, including testing scope and rollback procedures, before committing.

4. Optimizing only for the lowest monthly cost

The cheapest option often becomes the most expensive once downtime, slow incident response, or forced migrations are factored in.

Mitigation tip: Evaluate total risk across SLA terms, security posture, upgrade maturity, and long-term ownership, not just the invoice amount.

Why deep Keycloak specialization matters

In long-lived systems, the most challenging IAM problems rarely appear on day one. They emerge later – during upgrades, platform migrations, compliance reviews, or when new integrations stretch the original design beyond its limits.

A practical way forward is to start with a focused pilot. Select one representative application or tenant with real authentication complexity. Validate core flows, federation, and upgrade behavior under realistic conditions. Use this pilot to assess not only functionality, but also operational effort: upgrade impact, incident handling, and day-to-day ownership.

Even after an initial rollout, IAM decisions should be validated against production realities:

• Confirm functional equivalence when migrating from another IAM platform
• Verify end-to-end behavior across integrated systems and IdPs
• Ensure authentication performance and availability meet target SLAs
• Test upgrade and rollback procedures before they become urgent

When approached deliberately, managed Keycloak becomes a stable foundation for identity that can evolve alongside your product, rather than holding it back. That’s where the TYMIQ team can share a tailored experience with you.