Check out ZITADEL— It fuses the best features of Auth0 and Keycloak into a more modern, innovative package. (full disclosure, I'm part of the team)

It's an open-source IAM solution. It offers a cloud-based SaaS option and can also be downloaded for self-hosting. You can try the hosted cloud version for free - https://zitadel.com/signin

It provides:

- authentication and authorization capabilities (including SSO, IdP Federation)

- auditing

- custom extensions

- support for standards such as OIDC/OAuth/SAML/LDAP

- full API support

- various authorization strategies, including Role-Based Access Control (RBAC) and Delegated Access, making it a great choice for both B2C and B2B scenarios.

It mostly aims to ensure ease of operation and scalability (users love the simplicity). The community and team actively contribute towards development and support.

You can download it and host it yourself - https://zitadel.com/docs/self-hosting/deploy/overview

Github- https://github.com/zitadel/zitadel

Case studies and testimonials - https://zitadel.com/blog/tags/successstory

Authentik is easiest to self host and give you everything you would expect in an premium offering, it's opensource and just need a single docker compose command to up and running. https://goauthentik.io/

Off the top of my head: https://gluu.org/ https://www.keycloak.org/ https://github.com/OpenIdentityPlatform

You have Azure (sus), Google (eh), OneLogin, LastPass(?), PingID.

Okta is nuts. 5th time in two years. Who the F*** is running that place?

This is not a new breach, it is a disclosure of additional findings from the last breach.

That's worse in some ways.

IMO Google is probably the best bet, given the strength of their security engineering folks.

(former Userify CEO, so probably a bit biased, but we only focus on SSH/sudo, so not too much overlap)

I agree completely, except with the obvious stipulation that Google seems to be only SaaS and thus extremely high-value target, but Google's security has always been top notch and you can tell they actually care.

Ping Identity seems to be doing pretty well (now owned by Thoma Bravo) and haven't heard of any publicly disclosed leaks.

LastPass has had several well-publicized breaches recently, though.

Google has one of the best security practices and teams out there, so I would agree. They don't need to support legacy systems nor have so many disparate systems like MS has, so they an advantage over MS despite MS having a good security team as well. Only dings on them is service in this area as well as baked integrations (Okta has tons)

MS Marketing would like you to edit your post to mention that Azure AD™ is now Entra ID™. This is a new product like MS Fabric is a new product.

Maybe the truth is nobody can stand up to targeted attacks.

Ask yourself why you need it - if it's to handle auth for an SaaS, your web application framework most likely already has a battle-tested auth implementation you can just use.

In this case, introducing a third-party doesn't help. You can still screw up the integration (or merely configuration - a general-purpose IdP has lots of features that may not apply to your use-case, yet misconfiguring them could leave a large security hole without even realizing it), and you are still on the hook for security regardless (if your app is vulnerable, it doesn't matter how secure the IdP is as they can just bypass it).

https://www.ory.sh/ bonus is that you can run it on your own as well.

I'm looking at this one and it seems to cover things that I need (admittedly, without a free tier, but what'reyougonnado). I knew about Okta through people in the security space and that's why I trusted it. I don't see anything on Ory's page that seems to explain the audit work they do, etc. Is this something you are familiar with? Or?

Yes, we're using it in production. However, we have deployed our own stack of it. You don't have to use their service if you don't eant to. It's open source, so in a way there is a free tier to it if you can put some work into deployment.

10/10. Ory is top notch. Using on prem

I mentioned it above, but FusionAuth is supposedly good. They offer a paid cloud and free self-hosted version, so you get the benefits of rolling your own without as many risks. (No affiliation with the company on my part, so I can't speak to any specifics - they're just local and I continually hear good things from friends who know and use them.)

Disclosure: I work for FusionAuth.

We're a commercial offering with self-hosted and SaaS options. I don't have a ton of insight into your needs, but it is a solid, well documented external authentication system.

We have a free option available here: https://fusionauth.io/download or you can pay us for premium features, hosting or support.

Supertokens - open source user authentication.

Our UI is native to your website (no redirects) and the auth logic sits within your backend api layer - giving you a lot more control

Jumpcloud if you’re looking for SaaS. It has been a year or two since I last used them but it worked well for our needs.

you could also take at look at what we're building at Corbado (passkey-first authentication): https://www.corbado.com

What are you trying to do? Is self hosting keycloak an option?

Honestly, I'd rather not self-host anything. Many people, such as Amazon and Auth0 provide services to handle authentication for you, so you're just given a jwt token or session information. I want to pay pennies per user to have it done right(tm)

I didn’t realize it until looking at it just a moment ago, but Auth0 is an Okta subsidiary. They don’t have a stellar record by themselves [0]. I guess that leaves Amazon? That’s not super encouraging.

[0] https://www.bleepingcomputer.com/news/security/auth0-warns-t...

Amazon Cognito is an attractive option for authentication since it has a good free tier and is relatively inexpensive even outside of the free tier.

The downside I ran into is that it doesn't support SAML SSO. It is only OAuth, OpenID Connect, and JWT.

As an auth backend to an app, perhaps, but the web login forms for Cognito had terrible UX (when we were using it). So terrible that we had daily customer-reported support tickets that we had no ability to fix (short of writing our own full UI).

Also, sharding user records into Cognito pools was a bit frustrating. Hopefully AWS has invested in fixing these issues.

Firebase and Supabase might also be good options for authentication. Cheaper with generous free Tier.

> I want to pay pennies per user to have it done right(tm)

Okta's whole value prop was that they do it "right"... Oops.

We use Userfront and it's been solid