Best Self-hosted Alternatives to ForgeRock Identity Platform

Keycloak is an open-source Identity and Access Management (IAM) server for modern applications and services. It centralizes authentication and authorization so applications can rely on standards-based SSO instead of implementing login, user storage, and session management.

Key Features

• Single sign-on and single sign-out across multiple applications
• Support for standard protocols: OpenID Connect, OAuth 2.0, and SAML 2.0
• Identity brokering and social login via configurable identity providers
• User federation with LDAP and Active Directory, with extensible provider support
• Admin console for managing realms, clients, users, roles, sessions, and policies
• Account management console for end users (profile, password changes, session management, and 2FA)
• Fine-grained authorization services for policy-based access control

Use Cases

• Centralized SSO for internal apps, APIs, and microservices
• Replacing custom authentication with standards-based identity and token issuance
• Integrating enterprise directories (LDAP/AD) and external identity providers into one login flow

Limitations and Considerations

• Operating securely at scale requires careful configuration of realms, clients, token lifetimes, and session settings
• Some advanced deployments may require external databases and clustering planning for high availability

Keycloak is widely used as a central identity provider to standardize authentication and access control across heterogeneous systems. It reduces application complexity while enabling consistent security policies and user management in one place.

Logto is an open-source identity and access management platform for adding authentication and authorization to web, mobile, and API-based products. It provides standards-based login, enterprise SSO, and scalable multi-tenant identity management for SaaS and AI applications.

Key Features

• OAuth 2.1 and OpenID Connect provider for apps, SPAs, and APIs
• SAML-based enterprise SSO with common external IdPs
• Multi-tenancy via organizations, including invitations and provisioning flows
• Role-based access control for global and organization-scoped permissions
• Multiple sign-in methods: password, passwordless (email/SMS codes), and social login
• Multi-factor authentication options including passkeys, authenticator apps, and backup codes
• Customizable, pre-built sign-in experience and broad SDK/framework support
• Admin console for managing apps, users, roles, and authentication settings

Use Cases

• Add secure login and token-based API access to a SaaS product
• Implement enterprise-ready SSO and org-level access controls for B2B apps
• Centralize identity for multi-app ecosystems, including AI agents and tools

Limitations and Considerations

• Running at scale typically requires operating and tuning PostgreSQL and the service stack
• Advanced enterprise/security expectations may require careful configuration of SSO, MFA, and authorization models

Logto is a strong fit when you want a modern, standards-based auth system with multi-tenancy, SSO, and RBAC built in. It helps teams ship production-ready identity features without building and maintaining custom auth infrastructure from scratch.

Cerbos is a language-agnostic authorization layer that externalizes permissions into context-aware policies evaluated by a stateless Policy Decision Point (PDP). It is designed to support least-privilege access control across applications, APIs, services, and modern workloads.

Key Features

• Policy-based authorization using simple YAML policies for resources, actions, and principals
• Context-aware decisions with conditional rules and attribute-based access control (ABAC)
• Derived roles and principal-specific policies for dynamic and exception-driven authorization
• Stateless PDP service exposing APIs for authorization checks and query planning
• Multiple policy storage backends (e.g., local disk, Git-based workflows, and supported databases)
• Designed for scalable, highly available deployments (service, sidecar, or other runtime patterns)

Use Cases

• Centralize authorization for microservices, APIs, and web applications with consistent rules
• Implement fine-grained RBAC/ABAC for multi-tenant or enterprise software
• Offload authorization logic from application code to a dedicated decision service

Cerbos helps teams manage authorization as code, enabling clearer permission logic, easier auditing of intent, and safer evolution of access rules as systems grow.

GLAuth is a lightweight LDAP authentication server designed for development, CI pipelines, and home infrastructure. It provides an easy-to-run alternative to heavier directory services while supporting multiple configurable backends and LDAP/LDAPS endpoints.

Key Features

• LDAP and LDAPS listeners for authentication and directory queries
• Config-file backend for simple, single-binary deployments
• Pluggable/chained backends, including file-based storage, S3-backed storage, SQL via plugins, and proxying to existing LDAP servers
• Centralized management of users, groups, passwords, Linux account attributes, and SSH public keys
• Optional two-factor authentication designed to be transparent to LDAP client applications
• Suitable for lightweight directory needs across common infrastructure tools that support LDAP auth

Use Cases

• Centralizing user and group management for homelab or small server fleets
• Providing an LDAP auth endpoint for internal tools and CI environments
• Fronting or augmenting an existing LDAP directory with a proxy backend

Limitations and Considerations

• For production usage, LDAPS/TLS should be configured explicitly rather than relying on plaintext LDAP
• Some advanced directory/AD features may not be available compared to full OpenLDAP or Active Directory deployments

GLAuth is a practical choice when you need LDAP-compatible authentication with minimal operational overhead. Its backend flexibility makes it useful both as a standalone directory for small environments and as an integration layer alongside existing LDAP infrastructure.

Authgear is an identity and authentication platform for consumer and B2B applications, providing hosted login, user management, and standards-based SSO. It can be deployed for self-hosting and is designed to support modern authentication methods across web and mobile.

Key Features

• Pre-built, customizable signup/login and account settings UI
• Passwordless authentication (magic link / OTP via email and SMS) and passkeys (WebAuthn)
• Multi-factor authentication (TOTP, email OTP, SMS OTP)
• SSO and federated identity via OAuth 2.0 / OIDC and SAML 2.0
• Admin portal for configuration, user/session management, and operational insights (e.g., logs)
• Admin API with GraphQL for managing auth resources and automation
• Extensibility via webhooks and server-side hooks for custom auth logic
• Enterprise-oriented controls such as audit logs, rate limiting, and brute-force protection

Use Cases

• Add authentication to SaaS products and multi-app ecosystems with a unified identity layer
• Implement enterprise SSO for B2B customers using OIDC/SAML and directory integrations
• Roll out phishing-resistant sign-in using passkeys plus MFA for higher assurance logins

Authgear combines turnkey UI components with protocol support and administrative tooling, making it suitable for teams that want a customizable IAM foundation without building auth from scratch. Its API and hooks enable deeper integration while keeping authentication flows consistent across platforms.

Melody Auth is a turnkey OAuth 2.0 and authentication system you can run on Cloudflare Workers (with D1 and KV) or self-host on Node.js with Redis and PostgreSQL. It provides a complete auth server, management UI, and developer-facing APIs and SDKs for integrating secure login flows into applications.

Key Features

• OAuth 2.0 flows including authorization, token exchange, refresh token revoke, scopes, consent, and user info retrieval
• OpenID Connect support (discovery/openid configuration) and JWT/JWKS-based authentication with key rotation
• Multi-factor authentication options including email/OTP/SMS, passkeys, recovery codes, and “remember device”
• External identity providers including social login (Google, GitHub, Discord, Apple, etc.) and OIDC providers; SAML SSO in Node.js deployments
• Role-based access control (RBAC), user attributes, account linking, organizations and groups
• Admin panel for managing users, apps, roles/scopes, organizations, IdPs, and logs (including impersonation)
• Server-to-server REST API plus embedded auth API and frontend SDKs for web, React, Angular, and Vue
• Brute-force protection and security-focused logging for sign-in and verification flows

Use Cases

• Ship OAuth/OIDC authentication for new products with a built-in admin console
• Add MFA, passkeys, and social login to existing apps without building auth from scratch
• Run an internal identity provider for multiple apps with RBAC, org/group management, and audit-friendly logs

Melody Auth is well-suited for teams that want a complete, customizable auth stack with minimal operational overhead on the edge or full control in a traditional server deployment.

FusionAuth is a full-featured authentication and identity platform for adding login, registration, and access control to web, mobile, and API-driven applications. It provides standards-based auth flows and an admin UI for managing users, applications, and security settings.

Key Features

• Standards-based authentication and authorization using OAuth 2.0 and OpenID Connect
• SAML v2 support for enterprise SSO integrations
• Multi-factor authentication (MFA) and passwordless authentication options
• User, group, and role management with application-specific configuration
• Admin dashboard and APIs for identity management and automation

Use Cases

• Centralized login and SSO across multiple internal and customer-facing applications
• Add OAuth/OIDC-based authentication for APIs and microservices
• Enterprise integrations requiring SAML-based identity federation

FusionAuth is a practical choice for teams needing a self-hosted IAM solution with modern auth standards, multiple authentication methods, and an administrative interface for ongoing identity operations.