Keycloak self-hosted vs managed IAM: TCO and risks

Keycloak is a mature, capable open-source identity provider, and for many teams it is the natural choice to start without license costs. But the software price is only the tip of the iceberg: running it in production carries a total cost of ownership (TCO) and a set of risks that must be weighed before deciding between build and buy.

Build vs buy: the comparison isn't about license price

Keycloak is free to download, which leads many organizations to treat it as "zero cost". The right comparison, however, is not a license versus a subscription, but the total cost of a system you run yourself versus that of a managed service. Once you include infrastructure, team time, security patching and compliance responsibility, the picture changes completely.

What self-hosting Keycloak really means

Putting Keycloak into production is not about spinning up a container and forgetting it. A reliable enterprise instance requires a list of ongoing activities, not one-off ones:

• High availability: multi-node clustering, load balancing and database replication so the identity provider does not become a single point of failure.
• Tested backup and disaster recovery: lose the identity database and you lock access to every connected application.
• Patches and upgrades: applying security releases promptly and handling major-version migrations, which are often non-trivial.
• Monitoring and logging: metrics, alerting and retention of access logs for audits and investigations.
• Hardening and secret management: secure configuration, rotation of keys and certificates, protection of admin endpoints.

The hidden TCO of self-hosting

The dominant cost is not infrastructure, but the time of specialized people. You need expertise in Keycloak, the database, networking and security, and that expertise must stay available over time, holidays and turnover included. On top of that comes the cost of risk: every hour of identity-provider downtime is an hour in which nobody can access your systems.

• Staff: design, on-call operations and ongoing maintenance of the identity infrastructure.
• Infrastructure: redundant application nodes, managed database, load balancers, staging and DR environments.
• Security and compliance: hardening, vulnerability management, periodic audits and producing evidence for GDPR, NIS2 and ISO 27001.
• Operational risk: the cost of downtime and incidents, hard to quantify but very real when the IdP is critical.

The risks of self-hosting

Security and the patch window

The identity provider is one of the most sensitive targets in the whole infrastructure: compromising it means compromising access to everything. With self-hosting you are the one who must apply patches within the right window and configure every component correctly. An unpatched vulnerability or a misconfigured admin endpoint can expose the entire organization.

Compliance and data responsibility

With self-hosted Keycloak, personal data and credentials live in your infrastructure, and the responsibility to protect them and to demonstrate compliance (GDPR, NIS2, ISO 27001) is entirely yours. Producing audit evidence requires processes and documentation that you have to build and maintain.

Continuity and dependence on people

Knowledge of how the cluster is configured and kept running tends to concentrate in a few people. If they leave, operational risk increases on exactly the most critical system.

When self-hosted Keycloak makes sense

Self-hosting remains a legitimate choice in specific scenarios: when you have extreme customization requirements that demand full control of the code, constraints that force everything onto owned infrastructure, and — above all — a dedicated team with the skills and capacity to run the identity provider 24/7 over time.

When a managed IAM is the better fit

For most organizations that want to focus on their product rather than on running identity infrastructure, a managed IAM reduces risk and makes cost predictable:

• High availability, backup and disaster recovery are the provider's responsibility.
• Security patches and upgrades applied without tying up your team.
• Compliance and certifications maintained by the vendor, with evidence ready for audits.
• Predictable subscription cost, without unexpected spikes from incidents or migrations.

Comparison table

LoginMaster: a managed European IAM

If you are evaluating Keycloak but want to avoid the operational burden of self-hosting, LoginMaster offers a managed IAM with a Tenant-Cloud architecture in which personal data never leaves the customer's tenant, and the cloud operates only on encrypted and pseudonymized data. Compliance with GDPR, NIS2 and ISO 27001 is built in, and adoption relies on open standards to avoid lock-in.

• SSO with Google Workspace and Microsoft Entra ID, 2FA/TOTP and dual-signature authentication.
• Integration via TypeScript and .NET SDKs or REST API, with no infrastructure to run.
• Multi-tenant white-label and export of events to SIEM (Splunk, QRadar, Sentinel, Elastic).
• High availability, patches and backups managed by the provider, with a predictable subscription cost.

For the direct comparison see the Keycloak alternative page; for the fundamentals, what IAM is and the security page. To evaluate your concrete case, request a demo.