You should check out FusionAuth if you are looking at KeyCloak. We play in a similar same space (self-hostable, support for SAML, OIDC, OAuth2). I'd say KeyCloak has wider coverage for some of the more esoteric standards and is open source while we have a more modern API, dev-friendly docs, and great (paid) support.
FusionAuth is not open source, but you can self-host it for free and own your data[0]. Or let us run it for you. In the latter case, you still own your data--get it all from our cloud if you want to migrate.
I'm proud that the team wrote an offboarding doc[1]. It's your darn customer data, and every provider should support out-migration.
Our pricing is kinda complicated as discussed before[0]. We're working on simplifying things.
Here's a list of features[1] which hopefully are clearer about what you get on what plans.
Where things get complex is that we sell both features/support and hosting, and you can buy both, either or neither from us. Our hosting isn't multi-tenant SaaS, but rather dedicated infrastructure providing network and database level isolation. That means what we offer is different than say a Stytch that offers a multi-tenant logical isolation.
Most folks that are price conscious run it themselves on EC2 or Render or elsewhere[2].
To be fair, the pricing there is not out of line with other hosted SaaS auth services. The segmentation is also not out of line either.
However, the paywall (for all of these auth services) ends up being quite steep for the couple features that matter for a non-hobby app, such as custom domain name and MFA (totp or hooking up to an external SMS service). Unfortunately it makes these features expensive when you are starting out (paying ~$40 a month for only a handful of users, sort of thing...).
It is nice to see more and more of these services allow you to take out your data and migrate though - including the self-hosted options. Being vendor-locked for your user account data is a really big deal in my opinion. It often means having zero good options if the vendor decides to rake you over the coals one day.
TOTP based MFA is included in the free, community plan.
As I mentioned elsewhere, for folks who are price conscious, self-hosting is the better option.
But I get it! The story I tell internally all the time is that when I was working at a startup, our entirely hosting bill was on the order of $200/month (on Heroku; it was a while ago). There's no way we would have paid $350 just for an identity solution. But we would probably have chosen to host FusionAuth community on heroku for much much less and operated it ourselves.
You should check out FusionAuth if you are looking at KeyCloak. We play in a similar same space (self-hostable, support for SAML, OIDC, OAuth2). I'd say KeyCloak has wider coverage for some of the more esoteric standards and is open source while we have a more modern API, dev-friendly docs, and great (paid) support.
FusionAuth is not open source, but you can self-host it for free and own your data[0]. Or let us run it for you. In the latter case, you still own your data--get it all from our cloud if you want to migrate.
I'm proud that the team wrote an offboarding doc[1]. It's your darn customer data, and every provider should support out-migration.
0: https://fusionauth.io/download
1: https://fusionauth.io/docs/lifecycle/migrate-users/offboard