I know it doesn't cover everything Auth0 and Okta presumably provide, but Keycloak is OSS and has RedHat support, and is honestly one of the best IDPs I've ever used in terms of capabilities and friendliness. I know there's also the ory suite in the more cloud-native/recent space, though I can't personally speak to its maturity.

Maybe I'm biased by the large bank I currently work at, but in general, it seems like IAM is the last thing we really want outsourced/closed source and monocultured. If they lose the motivation to stay ahead of the competition, and stop responding to vulnerabilities as quickly as they ought to, it's not just their company that loses.

I’ve started using KeyCloak by default for my personal projects. Once you know how to integrate it and configure it, you never have to worry about users or roles again. I haven’t used the groups feature yet but I’m optimistic considering how easy Keycloak is to configure. Overall it’s a great tool to have in your tool belt.

There's just so much value in the fact that I can run it locally, deploy it wherever, play with it and learn it for free and even feel safe enough to expose it publicly due to its maturity and backing. As long as I stick with the standards (remind yourself and your users "you build OpenID Connect clients, not 'keycloak' clients," I can even (easily) move somewhere else if I want, and now I understand Oauth2/OIDC better and probably have a much more scalable authn/z system in place thanks to the way federated authn asks you to design your (fine-grained) authz.

Lack of webauthn might be a stopper for some, but it's in the pipeline:

https://github.com/keycloak/keycloak-community/blob/master/d...

Huh, I'm pretty sure it's present by default (not behind a flag) in current versions of Keycloak - would have liked to use it but our setup is so heavily firewalled tokens wouldn't make it over ;)

I'm going to check it out again today because last eval I did with this requirement was ~10 months ago

Yeah there’s a tab for it in the latest docker images, although I’ve never configured it

It's there! Awesome. Thank you.

Please make a write up about using it - my current use of keycloak doesn't fit webauthn (clients access it from virtual workstations that don't have usb access) but I'd like to incorporate it further in my toolbox for future projects

I may do just that and add it to the docs - thanks for the tip

> It's great news for the businesses,

I assume you mean they'll be able to get monopolistic rents now?

The other alternative is that Auth0 customers will be forced into Okta plans and migrate to other platforms. It's happened before with other mergers.

Disclosure: I work for a competitor.

Wouldn’t 1 be Microsoft?

Amazon/AWS and Google are big in the identity space too, so I think it makes sense that there's only room one real "third party" option.

It might be better for these two to merge than for either (or both!) to be subsumed into those much larger firms. This is why FTC allowed Sirius and XM to merge: to keep them both out of the clutches of larger firms who would have seriously considered killing satellite radio altogether.

[EDIT:] Of course, this merger may just be a ploy to drive up the price of a future merger with one of the larger firms...

Cognito and Firebase are bush league by comparison. They can do the basics well enough if you have the right integration engineers. Okta and Auth0 are light years ahead.

The difference is that Okta/Auth0 is never going to be the only piece of a solution. With AWS it's more than just Cognito, you have to consider IAM and SSO as part of the equation as well. And if you're a pure AWS shop the AWSness of Cognito (or its direct support in API Gateway, etc.) might make you prefer it to Okta or Auth0 regardless of feature parity. For Google the key asset is really Gmail/GSuite/Workspace, which is the primary identity provider for many, many organizations (and the sole identity provider for most of those). However kludgy Google's built in SAML stuff is there is a huge value in only needing to deal with one entity.

Cognito is a nightmare and many things are broken. I lost 3 weeks in Feb. on a project trying to get it to work and just integrated Auth0 in 2 days.

They're not really doing the same thing but you're probably correct that most customers are just relying on AD. I can easily imagine MS beefing up their identity offering to be more on par with Okta.

We replaced Okta with Azure AD. AAD had better OIDC and SCIM support along with being _significantly_ less expensive -- plus we had to use it anyways due to M365/Azure, so Okta offered no value.

I assume that's for enterprise, not customers.

Correct, though we do use Azure B2C with 3rd parties, as well.

Ping and Sailfish are big companies too.

Sorry, this should be Sailpoint of course.

Okta, 2020 Revenue: $586M

Sailpoint, 2020 Revenue: $355M

Ping: 2020 Revenue: $224M

Auth0, 2020 Revenue: $200M

There's also Oracle ID Manager, some IBM thing etc - a bunch of other large vendors.

I think you quoted the wrong number for Okta's revenue. The first hit on Google said:

> Okta revenue for the twelve months ending October 31, 2020 was $768M, a 43.77% increase year-over-year. Okta annual revenue for 2020 was $586M, a 46.79% increase from 2019.

I was quoting 2020 financial year numbers. As per your quote: "Okta annual revenue for 2020 was $586M"

I see. That's for FY2020, which was from Feb 2019-Jan 2020. So, it's from 12 months ago.

For FY2021 (that just ended: Feb 2020-Jan 2021), revenue was $835 million, an increase of 43% year-over-year.