We are often asked by prospects evaluating open source identity and access management platforms about the difference between the Gluu Server and Keycloak.
Full disclosure, we have not deployed or operated Keycloak. However, at a high level, we can offer a few points of differentiation between the two platforms.
Product vs. Project
There is a big difference between a project and a product. There are long term and short term projects, but by nature projects are temporary and are often not suitable for mission critical production environments. Products, on the other hand, need to live in production for many years.
Here’s an excerpt from the Keycloak website (emphasis added):
The RH-SSO product derives from a specific version of the Keycloak community and is maintained, patched, and supported by Red Hat commercially for as long as the terms of your support contract. The Keycloak community project, on the other hand, is never patched.
So, by RH’s own admission, Keycloak open source offering is a bleeding edge project that is never patched.
The Gluu Server Community Edition, on the other hand, is a product that is in production at many organizations.
Niche vs. Pure Play
Choosing an IAM platform is a long term decision. Once you start building the platform into your larger enterprise architecture, the switching costs become extremely high.
Keycloak and RH SSO contribute no meaningful amount to RH’s bottom line, and RH may or may not continue to invest in the software. We’ve seen in the past RH say “the liability of the product exceeds the revenue opportunity.” It’s not enough to patch a server. The SSO market is moving fast as new vulnerabilities and application development paradigms emerge. Is RH committed for the long term to not only support, but to innovate?
Gluu’s whole business is built around the Gluu Server. Gluu will never stop innovating (or end of life) our flagship product.
Support
Red Hat does not provide commercial support for Keycloak. They instead derive product offerings (i.e. RH SSO) from community projects (i.e. Keycloak) which are branded and maintained separately.
Gluu, on the other hand, makes a large investment in supporting our customers and the open source community alike. We do not hold back features for a commercial version. Everyone gets the same Gluu Server software bits.
We rely on large organizations with mission critical requirements to pay for support, but that doesn’t stop us from helping the open source community of DIYers and small (and large!) businesses adopt and use this critical security tool.
OS specific
Gluu is committed to building packages for many popular Linux distributions, currently Red Hat, Centos, Ubuntu, and Debian.
Team vs. Company
Our experience is that developers ask a lot of hard questions, the criticality of support is high, and a fast response time is critical. As Keycloak / RH SSO is a small part of RH’s business, it may take time for Redhat to get the right team engaged on a production (or development) issue.
Gluu’s whole company is focused on the Gluu Server, and our business, support and developer staff is engaged in supporting and extending the product each and every day.
Conclusion
As a pure play IAM vendor, Gluu will never end-of-life the Gluu Server, or waver from its commitment to support and innovate our open source platform.
Options are good for consumers, and we like to see other organizations offer open source identity and access management tools to the community. In fact, we make use of the good ones (like Shibboleth) in our stack!
Our recommendation: use Keycloak at your own risk… you may be locked into an obscure, end-of-lifed product in the not too distant future.[:]