If you are going to use keycloak it's worth making sure their mental model matches your own. Specifically we had issues with our model of multi-tennacy, each in their own realm vs. the keycloak idea of multiple tennants in a single realm. It caused some large performance and management issues.
Compared to other choices, it's more mature and well-vetted because it forms the upstream for RedHat's SSO offering.
On the other hand, it's a big monolithic Java app, but they are making some moves to be more CNF-friendly: https://www.keycloak.org/2020/12/first-keycloak-x-release.ad...