They're desperate to get off keycloak at my org. Not sure the specifics, but our users complain about Auth issues often, and the keycloak web interface is painfully slow too.
I’ve read you need to partition usage to limit each keycloak instance to about 1500 total users to avoid performance issues. Does this hold true in your org?
I work with an org that has 10's of thousands of users on keycloak, so there must be a way around the problem. I'm not administering the instance for this project, so I have no direct insight into how they deal with it.
It looks like it's 'entities' and not just 'users'. From the docs [0]:
Keycloak allows you to create any number of realms and any number of clients and users in them. But you need to be thoughtful as you scale up because as the number of entities grows, Keycloak slows down. When you log in as a superuser in the admin panel, even if you have only 1,500 realms, it will take a few minutes or even crash on timeout. Creating a new realm will take about 20 to 30 seconds. You need to change your logic and interaction with Keycloak.
I have to disagree with your assessment. It's not that rock solid, "supports everything" is a very vague term and "trusted everywhere" I'm not even sure that that is supposed to mean.
I work for FusionAuth which has a free community edition[0], so I'm a bit biased. You can read some of our community stories talking about what folks have built on top of it[1].
Other alternatives I've heard mentioned for self-hosting include:
* Ory
* Platform specific OSS (Devise for Rails, Passport/NextAuth for javascript, Spring Security for Java, etc)
* IdentityServer (may have to pay something now, not sure)
FreeIPA is pretty good for internal users when money is tight. It's a FOSS almost AD but for *NIX and it does HA. For the SSO part, Shibboleth2 or CAS.
What do you recommend?