🛡️ 1. Keycloak — Best All-Around Option
- URL: keycloak.org
- Use Case: SSO + 2FA for multiple internal/external web apps
- AD Integration: Connects to AD via LDAP
- 2FA: TOTP, WebAuthn, OTP via app (Google Authenticator, Authy, etc.)
- Protocols: OIDC, SAML, LDAP
- Extras:
- Fine-grained role and access control
- Web-based admin UI
- Password policies, user federation
🔧 Example: You can run Keycloak as an identity provider (IdP), connect it to AD via LDAP, and use it as the login portal for all your web apps (e.g., Grafana, Jenkins, GitLab, custom apps using OIDC or SAML).
🔐 2. Authelia — Lightweight Reverse Proxy 2FA
- URL: authelia.com
- Use Case: Protect self-hosted apps behind NGINX/Traefik
- AD Integration: Yes (via LDAP)
- 2FA: TOTP, WebAuthn (Duo via plugin)
- Protocols: Works as a reverse proxy gatekeeper, not a full IdP
🔧 Example: Add Authelia in front of internal dashboards like NetBox, Portainer, or Nextcloud via Traefik. When a user logs in, it checks AD credentials, then challenges with TOTP before allowing access.
🛠️ 3. WSO2 Identity Server
- URL: wso2.com/identity-and-access-management
- Use Case: Enterprise SSO + MFA, similar to Keycloak
- AD Integration: Yes, strong LDAP support
- 2FA: SMS, Email, TOTP, WebAuthn, more
- Protocols: SAML, OIDC, SCIM
✅ Why WSO2? If you’re looking for a highly customizable solution with broad MFA/SSO support and great scalability.
🧩 4. Gluu Server / Authentik (Honorable Mentions)
- Gluu: Heavyweight, mature open-source IdP (SAML, OIDC, LDAP)
- Authentik: Sleek modern alternative, easy Docker deployment, LDAP-ready
If you’re experimenting or need a minimal front for just a few apps with AD integration, Authentik can be a simpler setup than Keycloak.