OpenLDAP is ancient infrastructure held together by familiarity and the absence of a better option at the time you set it up. Keycloak works, but the Java overhead is real, the UI is clunky, and the user self-service experience is an afterthought. If you're looking for a modern, cloud-native self-hosted IAM that doesn't feel like it was designed in 2005 and actually gives end users a clean interface to manage their own credentials and MFA, the options have improved significantly.

Note: The recommendations below are drawn from outside standard IGA platform documentation and community consensus — verify the current state of each project before deploying in production, as open-source tools evolve quickly.

Authentik: The Community Favorite for Modern Self-Hosted IAM

Authentik has become the most commonly recommended modern Keycloak alternative in self-hosted communities, and for the specific frustrations you described — heavy footprint, clunky UI, no user self-service portal — it directly addresses all three.

Why it fits: Authentik is built with a genuinely clean, modern administrative interface. More relevant to your situation, it ships with an out-of-the-box user-facing portal where employees can manage their own profiles, reset passwords, and configure MFA devices without admin intervention. This is the missing piece that Keycloak has always handled poorly.

Architecture: Authentik is container-native and designed for modern deployment environments. It supports SAML, OAuth2, and OIDC seamlessly and handles the standard integration patterns for protecting self-hosted applications behind a reverse proxy.

Tradeoffs: It's written in Python/Django rather than Go, so it's not as lightweight as Zitadel. For small business deployments this is rarely a constraint, but it's worth knowing if resource efficiency is a primary concern.

Zitadel: Cloud-First, Lightweight, and Multi-Tenant Ready

Zitadel is written in Go, which makes it significantly faster and less resource-intensive than Java-based solutions like Keycloak or Forgerock. If you're running a tight infrastructure budget or deploying in containerized/Kubernetes environments, the footprint difference is meaningful.

Why it fits: Zitadel was built cloud-first from the ground up — designed for Kubernetes and serverless environments rather than retrofitted to them. It provides both a solid administrative UI and a self-service portal for users. Its multi-tenancy design makes it particularly well-suited for organizations managing external project members or freelancers as separate identity populations, which you mentioned as a potential requirement.

Architecture: The Go foundation makes it fast to start up and efficient to run. Standard protocols (OIDC, OAuth2, SAML) are supported. API-first design makes it extensible without requiring the Java ecosystem.

Tradeoffs: Zitadel is newer and has a smaller community than Keycloak. The documentation is good but less comprehensive than Keycloak's extensive ecosystem. For a small business deploying for internal use, this is usually manageable.

Ory: Powerful but Headless

Ory (ory.sh) is genuinely modern and cloud-native, and it's well-suited for organizations that want precise control over their identity stack. The caveat matters for your use case: Ory is headless by default.

The Ory ecosystem is composed of separate microservices — Kratos for identity management, Hydra for OAuth2, Keto for permissions, Oathkeeper for the gateway layer. Each is excellent at what it does. Getting them to work together as a cohesive user-facing system requires deploying the UI node packages and wiring them together, which is substantially more developer effort than deploying Authentik or Zitadel.

If you have developer resources and want fine-grained control over every layer of the identity stack, Ory is worth the investment. If you want something you can deploy and have working with a reasonable UI in a few hours, Ory is not the right starting point.

Authelia: Right Tool for a Specific Job

Authelia deserves consideration if your primary requirement is protecting internal self-hosted web applications behind a reverse proxy (Traefik, Nginx, Caddy). It's extremely lightweight, provides a clean login screen and 2FA, and integrates cleanly with modern reverse proxy setups.

The scope limitation: Authelia is an authenticating proxy rather than a full IAM directory. It doesn't manage a comprehensive user directory, handle complex provisioning workflows, or provide the user self-service portal you're looking for. For "I want to put authentication in front of my self-hosted apps," it's excellent. For "I want a central identity directory that handles user lifecycle," it's not the right tool.

FreeIPA + Keycloak: The Established Stack for the Complete Use Case

The combination recommended by experienced self-hosters in this thread is FreeIPA for the directory layer (profiles, Kerberos, SSH keys, certificates, access rules) with Keycloak handling SSO on top. FreeIPA has a provider module for Keycloak so they work together without custom integration work.

This stack handles the external user and freelancer scenario well: FreeIPA's host-based access control (HBAC) supports separate groups with different access rules, and certificate generation for VPN can be automated through FreeIPA's Dogtag PKI integration. When a user is created, the certificate can be issued and added to the LDAP userCertificate field, which OpenVPN can use for authentication directly.

The tradeoff is that this stack is heavier than Authentik or Zitadel, and the complexity is higher. If you need the full feature set (Kerberos, certificate management, HBAC, sudo rules), FreeIPA + Keycloak is the right architecture. If you need clean SSO and user self-service without the full AD-equivalent feature set, Authentik or Zitadel is simpler.

What to Consider for External Users and Freelancers

Your question about handling external project members came up in the original thread and it's worth addressing specifically. The patterns vary by tool:

Authentik handles external users through separate user types and authentication flows. You can configure external users to authenticate differently from internal employees and restrict their access scope.

Zitadel's multi-tenancy model is particularly clean for the contractor use case — external organizations can be separate tenants with their own identity pools that you grant access to specific resources without merging them into your main identity store.

FreeIPA handles this through HBAC rules and group-based access control — external users get a separate group with different access rules applied at the host level.

For automated VPN certificate generation on user creation: FreeIPA with Dogtag PKI is the most complete self-hosted solution for this. Authentik can integrate with an external CA for certificate issuance but doesn't have the same native PKI depth.

A Note on Future Scaling

Whichever self-hosted tool you deploy will handle authentication — the front door. As your organization grows and adopts more third-party SaaS applications, the governance layer becomes a separate requirement. Self-hosted IAM tools don't typically include access reviews, SOC 2 compliance reporting, automated SaaS provisioning, or shadow IT discovery.

If that becomes relevant at some point — you're growing, you're taking on enterprise customers who ask for SOC 2, or you're managing enough SaaS tools that offboarding is a problem — that's when a dedicated IGA platform like Zluri layers on top of your identity foundation to handle governance across the full application stack. But that's a future-state consideration, not a requirement for the self-hosted small business use case you're solving today.

Frequently Asked Questions

What is the best modern self-hosted IAM alternative to Keycloak?

Authentik is the most commonly recommended alternative for organizations that want a clean UI, user self-service portal, and modern container-native deployment without Keycloak's Java overhead. Zitadel is the alternative for organizations that prioritize performance and a cloud-first architecture built on Go. Both support SAML, OAuth2, and OIDC and are significantly more approachable than Keycloak for small teams.

What is Authelia and when should you use it?

Authelia is a lightweight authenticating proxy designed to protect self-hosted web applications behind a reverse proxy. It provides clean login screens and 2FA but is not a full IAM directory — it doesn't manage a comprehensive user store or handle complex provisioning workflows. Use it when your primary need is authentication in front of specific self-hosted apps. Use Authentik or Zitadel when you need a full identity directory with user lifecycle management.

How do you handle external users and freelancers in a self-hosted IAM?

The pattern depends on the tool. Zitadel's multi-tenancy model is designed for external organizations as separate tenants. FreeIPA handles external users through separate groups with HBAC rules limiting their access scope. Authentik supports separate authentication flows and user types for external identities. The right choice depends on whether you need network-level access control (FreeIPA/HBAC) or application-level SSO control (Authentik/Zitadel).

Is Ory suitable for a small business self-hosted IAM deployment?

Ory is powerful and cloud-native but headless by default — the separate microservices (Kratos, Hydra, Keto) require developer effort to wire together into a cohesive user-facing system. For small teams that want to deploy and have a working IAM quickly, Authentik or Zitadel is a better starting point. Ory is worth the investment if you have developer resources and want precise control over every layer of the identity stack.