Authentik

Authentik is the identity provider that makes Keycloak look like enterprise bloatware. Written in Python with a visual flow editor, it lets you build custom auth journeys — passwordless for some users, MFA for others — without touching code. SSO, SAML, OIDC, LDAP, and SCIM all work out of the box.

If you're self-hosting business apps and need proper SSO without Keycloak's learning curve, Authentik is the default recommendation in 2026. Keycloak (Red Hat) has more features but demands you understand realms, clients, and mappers. Auth0 is the commercial standard but gets expensive fast per monthly active user. Authelia is lighter but designed for reverse proxy auth, not full identity management.

The catch: Authentik uses a custom license — the enterprise features (like remote access control, recently moved to free) have historically been gated. The Python stack means heavier resource usage than Go-based alternatives. And while the flow editor is great, complex SAML integrations still require deep identity protocol knowledge.