Keycloak provides enterprise SSO with SAML, OIDC, and MFA. Samba AD delivers full Active Directory compatibility with domain join, Group Policy, and Kerberos authentication -- all open-source.
Keycloak is Red Hat's open-source identity and access management platform, used by thousands of organizations for single sign-on, multi-factor authentication, and user federation. Samba AD provides a fully compatible Active Directory domain controller for Windows domain join and Group Policy.
Keycloak handles modern identity: SAML 2.0 and OpenID Connect for application SSO, FIDO2/WebAuthn passkeys for phishing-resistant authentication, TOTP and push-based MFA, user self-service registration and account management, and fine-grained authorization policies. It acts as the central identity provider for the entire FreedomStack.
Samba AD handles traditional directory services: LDAP for user and group management, Kerberos for domain authentication, DNS for Active Directory-integrated zones, and Group Policy for Windows machine configuration. Windows PCs join a Samba AD domain exactly as they would a Microsoft AD domain -- same tools, same workflow, same Group Policy Objects.
Last updated:
SAML 2.0 and OpenID Connect SSO for all applications. One login grants access to Nextcloud, Zimbra, GLPI, Wazuh, and any SAML/OIDC-compatible app. No per-app licensing.
TOTP authenticator apps, FIDO2/WebAuthn passkeys (YubiKey, Touch ID, Windows Hello), SMS, and push notifications. Configurable MFA policies per application, role, or risk level.
Samba AD provides full AD compatibility: domain join, Group Policy, Kerberos authentication, LDAP directory, DNS. RSAT tools work natively. Windows machines see no difference.
Keycloak federates users from Samba AD via LDAP, enabling centralized user management. Create a user in AD, and they can SSO into all applications automatically.
Role-based and attribute-based access control. Define who can access what based on group membership, custom attributes, time of day, or device posture. Centralized policy enforcement.
Users manage their own accounts: password resets, MFA enrollment, profile updates, and active session management. Reduces helpdesk tickets for identity-related issues.
Keycloak is an open-source identity and access management platform maintained by Red Hat. It provides single sign-on (SSO) via SAML 2.0 and OpenID Connect (OIDC), multi-factor authentication, user federation, social login, fine-grained authorization, and centralized user management. It replaces Entra ID's SSO, Conditional Access, and MFA capabilities.
Yes. Samba AD implements the Active Directory protocol suite including LDAP, Kerberos, DNS, and Group Policy. Windows machines can join a Samba AD domain identically to a Microsoft AD domain. Users log in with domain credentials, Group Policies apply at boot and login, and all standard AD management tools (RSAT) work against Samba AD.
Yes. Keycloak 26 supports WebAuthn/FIDO2 passkeys for passwordless authentication. Users can register hardware security keys (YubiKey) or platform authenticators (Touch ID, Windows Hello) and use them as primary or second-factor authentication. This provides phishing-resistant authentication without any per-user licensing costs.
Keycloak acts as the central identity provider for the entire FreedomStack. Nextcloud, Zimbra, GLPI, Wazuh, and Fleet all authenticate through Keycloak via OIDC or SAML. Users get true single sign-on: one login grants access to all services. MFA policies are enforced centrally, and user provisioning flows from Keycloak to all connected services.
Yes. We migrate users, groups, and organizational units from Entra ID to Samba AD using LDAP export/import tools. Application SSO integrations are reconfigured to point to Keycloak. MFA enrollments are re-registered (existing TOTP seeds can be migrated). The migration is phased: we set up Keycloak alongside Entra ID, migrate applications one at a time, and cut over users in batches.
We'll analyze your current Entra ID setup, map your SSO integrations, and show you what Keycloak + Samba AD looks like for your organization. No obligation.