Keycloak vs AWS Cognito: Which Should You Choose?

Last updated: March 2026

Choosing an identity and access management (IAM) solution comes down to trade-offs: convenience versus control, managed services versus portability, and short-term speed versus long-term flexibility. Keycloak and AWS Cognito are two of the most widely adopted options, but they come from fundamentally different philosophies.

Cognito is a fully managed AWS service designed to reduce operational overhead for teams already invested in the AWS ecosystem. Keycloak is an open-source identity provider that runs anywhere and gives you complete control over your authentication infrastructure.

This guide compares them across the dimensions that matter most: pricing at scale, customization depth, federation capabilities, vendor lock-in risk, and migration difficulty. Both are capable tools. The right choice depends on your constraints.

Architecture Overview

AWS Cognito

Cognito splits identity into two services:

• User Pools: Handle user registration, authentication, and token issuance (OIDC/OAuth 2.0)
• Identity Pools (Federated Identities): Map authenticated users to AWS IAM roles for accessing AWS resources

This split architecture is powerful for AWS-native applications but creates complexity when you need to interact with non-AWS services. User Pools handle the authentication layer, while Identity Pools bridge the gap between authenticated users and AWS resource permissions.

Keycloak

Keycloak is a monolithic identity server that handles everything in one place:

• User management and authentication
• Single sign-on across applications
• Identity provider federation (SAML, OIDC, social logins, LDAP, Active Directory)
• Role-based access control and fine-grained authorization
• Token issuance (OIDC, SAML 2.0, OAuth 2.0)

Keycloak runs as a Java application backed by a relational database. You deploy it wherever you want: on-premises, in any cloud, or through a managed service like Skycloak.

Feature Comparison

Feature	Keycloak	AWS Cognito
Protocol Support	OIDC, OAuth 2.0, SAML 2.0	OIDC, OAuth 2.0 (SAML for federation only)
User Federation	LDAP, Active Directory, custom SPIs	Limited SAML/OIDC federation
Social Login	20+ built-in providers + custom	Google, Apple, Facebook, Amazon, OIDC/SAML
MFA	TOTP, WebAuthn, SMS, email, custom	TOTP, SMS, email
Branding	Full theme customization (FreeMarker/React)	Limited UI customization
SCIM Support	Yes (with extensions)	No native support
User Limits	Unlimited (database-bound)	40M users per pool (soft limit)
Self-Hosted	Yes	No
Admin API	Full REST API	AWS SDK/CLI
Audit Logs	Built-in event system	CloudTrail integration
Session Management	Granular control	Basic session settings
Custom Auth Flows	Authentication SPI	Lambda triggers
Multi-Tenancy	Realms + Organizations	Separate user pools
Open Source	Yes (Apache 2.0)	No

Pricing at Scale

This is where the difference becomes stark.

Cognito Pricing

Cognito charges per monthly active user (MAU):

• First 50,000 MAUs: Free
• 50,001 – 100,000: $0.0055/MAU
• 100,001 – 1,000,000: $0.0046/MAU
• 1,000,000 – 10,000,000: $0.00325/MAU
• Over 10,000,000: $0.0025/MAU

Additional costs apply for advanced security features (compromised credentials detection, adaptive authentication) at $0.050/MAU, and SMS-based MFA incurs per-message SNS charges.

For a B2B SaaS with 100,000 users using advanced security:

• Base cost: ~$275/month
• Advanced security: ~$5,000/month
• SMS MFA (estimated): ~$500/month
• Total: ~$5,775/month

Keycloak Pricing

Keycloak itself is free. Your costs are infrastructure:

• Self-hosted on AWS: EC2/ECS instances + RDS database. A production-grade setup runs approximately $200-600/month depending on high availability requirements.
• Managed via Skycloak: Predictable pricing that includes infrastructure, updates, monitoring, and support. Check our pricing page for current plans.

At scale, the cost difference is significant. Cognito’s per-MAU pricing means costs grow linearly with your user base. Keycloak’s infrastructure costs stay relatively flat regardless of user count.

Use the IAM ROI Calculator to estimate costs for your specific user base and see how different solutions compare.

Customization

Cognito Customization

Cognito provides customization through Lambda triggers at specific points in the authentication flow:

• Pre sign-up
• Pre authentication
• Post authentication
• Pre token generation
• Custom message (email/SMS)
• Define auth challenge (custom flows)

These work well for simple modifications, but they have limitations. Each trigger adds latency (Lambda cold starts), you are constrained to the trigger points AWS exposes, and debugging Lambda-based auth flows across multiple triggers is cumbersome.

The hosted UI customization is limited. You can change colors, add a logo, and modify CSS, but you cannot fundamentally alter the page structure or add custom components. For full control, you must build your own UI and use the Cognito SDK directly.

Keycloak Customization

Keycloak’s customization runs deeper:

• Themes: Full control over login, registration, account management, and admin console UIs. You can use FreeMarker templates or build completely custom React-based themes.
• Authentication SPIs: Create entirely custom authentication flows, add new authenticator types, or modify existing ones. This is not limited to predefined hook points.
• Event Listeners: React to any event in the system (login, logout, registration, admin actions) with custom handlers.
• Protocol Mappers: Control exactly what goes into tokens (claims, roles, attributes).
• User Storage SPIs: Federate with any user store, not just LDAP.

The trade-off is that Keycloak customization requires Java/Jakarta EE knowledge, while Cognito customization uses Lambda (Node.js, Python, etc.). However, Keycloak’s branding capabilities mean you can create a login experience that is indistinguishable from a native part of your application.

Federation and Identity Providers

Cognito

Cognito supports federation through:

• Social providers: Google, Apple, Facebook, Amazon, and any OIDC-compliant provider
• SAML identity providers (inbound federation)
• OIDC identity providers

However, Cognito does not support LDAP or Active Directory federation directly. You need to use Amazon Directory Service or build a Lambda-based bridge. For organizations with existing on-premises directories, this adds significant complexity.

Keycloak

Keycloak has broader federation capabilities:

• All major social providers built-in
• SAML 2.0 (both SP and IdP)
• OIDC (both RP and OP)
• LDAP and Active Directory with real-time sync
• Kerberos/SPNEGO
• Custom identity provider SPIs

Keycloak can act as both an identity provider and a service provider, making it versatile for enterprise environments where you need to broker identities between multiple systems. See our guide on identity provider integration for more details.

If you work with SAML-based federation, the SAML Decoder is helpful for debugging SAML assertions during setup.

Vendor Lock-In

This is perhaps the most important consideration for long-term planning.

Cognito Lock-In Risks

Cognito integrates tightly with the AWS ecosystem:

• User data: Stored in Cognito with no built-in export tool. You can export user attributes via the API, but you cannot export passwords (they are hashed with Cognito-specific algorithms).
• Lambda triggers: Your authentication logic lives in AWS Lambda functions that use Cognito-specific event structures.
• Identity Pools: AWS IAM role mapping has no equivalent outside AWS.
• SDK dependency: Client applications use the AWS Amplify SDK or Cognito-specific SDKs.

If you decide to leave AWS or switch identity providers, you face a painful migration. Every user must reset their password (you cannot migrate password hashes), and all client applications must be updated.

Keycloak Portability

Keycloak runs anywhere Java runs:

• Data ownership: Your database, your data. Export and import realm configurations, users, and settings as JSON.
• Standard protocols: Applications integrate via standard OIDC/SAML, not vendor-specific SDKs. Switching from Keycloak to another OIDC provider requires changing configuration, not code.
• Infrastructure flexibility: Move between clouds, on-premises, or managed services without changing your identity layer.

The portability argument is strong for companies that may change cloud providers, operate in multi-cloud environments, or want to avoid single-vendor dependency.

Multi-Tenancy

Cognito

Cognito handles multi-tenancy by creating separate user pools per tenant. This provides strong isolation but creates management overhead:

• Each pool has its own configuration, which must be kept in sync
• There is a default limit of 1,000 user pools per account (can be increased)
• Cross-pool operations require custom code
• No built-in tenant management UI

Keycloak

Keycloak supports multi-tenancy through realms, and recent versions (25+) have added an Organizations feature for more granular tenant management within a single realm. This gives you flexibility:

• Realm-per-tenant: Strong isolation, similar to Cognito’s approach
• Organizations within a realm: Lighter-weight tenancy with shared configuration and simpler management

For B2B SaaS applications, Keycloak’s multi-tenancy model is generally more flexible. See our post on fine-grained authorization in Keycloak for related access control patterns.

Developer Experience

Cognito

• AWS SDKs are mature and well-documented
• Amplify provides a high-level abstraction that simplifies common flows
• CloudFormation/CDK support for infrastructure-as-code
• Tight integration with API Gateway, ALB, and other AWS services
• The AWS console UI for Cognito can be confusing (especially the User Pool vs Identity Pool split)

Keycloak

• Comprehensive documentation covering administration, development, and operations
• Admin REST API for automation
• Docker-based local development (use the Docker Compose Generator for quick setup)
• The Keycloak Config Generator can scaffold realm configurations
• Active open-source community with regular releases
• Admin console UI is intuitive once you understand the realm/client model

Security

Both solutions provide strong security foundations, but they approach it differently.

Cognito benefits from AWS’s security infrastructure: automatic patching, DDoS protection, and compliance certifications (SOC, HIPAA, PCI DSS). However, you have limited visibility into the security implementation.

Keycloak gives you full visibility and control. You can review the source code, implement custom security policies, and configure audit logs exactly how you need them. The trade-off is that you are responsible for keeping Keycloak updated and properly configured. Skycloak handles this responsibility for managed deployments.

Both support multi-factor authentication, but Keycloak offers more MFA options including WebAuthn/FIDO2, which Cognito does not natively support.

Migration Considerations

Migrating from Cognito to Keycloak

If you are considering moving from Cognito to Keycloak:

1. User data: Export user attributes via the Cognito API. You cannot export password hashes, so users will need to reset passwords or you will need to implement a lazy migration (authenticate against Cognito on first login, then store in Keycloak).
2. Client applications: If you used standard OIDC flows, the migration is straightforward: change the issuer URL and client configuration. If you used Amplify or Cognito-specific SDKs, more refactoring is needed.
3. Lambda triggers: Map your Lambda trigger logic to Keycloak Authentication SPIs or Event Listeners.
4. MFA: TOTP seeds can potentially be migrated if you stored them separately.

Migrating from Keycloak to Cognito

Moving in the opposite direction is also possible but has similar password hash challenges. Keycloak’s standard OIDC integration makes the client-side migration simpler than moving away from Cognito.

When to Choose Each

Choose AWS Cognito when:

• Your entire stack is on AWS and you want tight integration with API Gateway, ALB, and IAM
• You have fewer than 50,000 users (free tier)
• Your customization needs are simple (basic Lambda triggers are sufficient)
• You do not need LDAP/AD federation
• Vendor lock-in to AWS is acceptable for your business

Choose Keycloak when:

• You need full control over your identity infrastructure
• You are operating at scale where per-MAU pricing becomes expensive
• You need deep customization (custom auth flows, themes, protocol mappers)
• You require LDAP/AD federation or complex identity brokering
• Multi-cloud or hybrid deployments are in your roadmap
• You need SAML 2.0 support (as both IdP and SP)
• Data sovereignty or compliance requires self-hosted identity

Choose Managed Keycloak (Skycloak) when:

• You want the power and flexibility of Keycloak without the operational burden
• You need guaranteed uptime and professional support
• Your team wants to focus on application development, not infrastructure management
• You want built-in monitoring and insights without setting up observability tools

Try Skycloak

If Keycloak’s flexibility is what you need but managing infrastructure is not something you want to take on, Skycloak gives you a fully managed Keycloak instance with automatic updates, backups, monitoring, and high availability. See our pricing to compare plans, or use the ROI Calculator to see how it stacks up against Cognito at your scale.