Hi. Speaking very much as an individual. I just spoke to someone who runs a keycloak and gitlab instance for a group of about 1000 users. I wanted to inject their experience into the discussion, because having operational experience is useful in such situations.
* The thing they like about keycloak is the same thing people have mentioned here: it's a great identity broker. It's really good at that, good at giving you all the options you might need. * It works well with LDAP/AD/whatever account store you have. * I was right. Gitlab can work as an identity broker. They generally have people use keycloak to log into gitlab. However, there is one common app where it was easier to set up that app to consume gitlab than keycloak so they did. * Gitlab is more limited in what it can do as an IDP or ID broker. If it meets your needs, that's great; if not you may need something like keycloak. * Migrating from gitlab to keycloak should not be a problem provided that you think about what you're going to use as primary keys so that accounts remain linked across the migration on the consumer side. * This organization does not use keycloak to host accounts. That is, all the accounts are stored something else. There are no locally created keycloak accounts. * On the call, our suspicion is that gitlab is going to do a better job of account lifecycle management than keycloak, but again, the organization in question has not tried that with keycloak. It seems that having local accounts in Keycloak is not one of its most polished features. But again, this is a guess without explicit experience. * Note that if you want to you can host accounts in gitlab and have keycloak act as an OIDC consumer for gitlab. So, if you decide you like Gitlab as an IDP but find you need Keycloak's transformations, you can have people login to Keycloak using their Gitlab accounts. * We did not discuss security. Neither of us had audited either product. --Sam
