u/Will-from-CloudIAM

Been watching teams agonize over Keycloak deployment models. Weeks of debate, decision matrices, the works. And then the constraint that wasn't in the matrix: the team they have doesn't match the model they're picking.

Here's what nobody puts in the slide. The team requirement barely moves between on-prem, IaaS, marketplace, and PaaS. The real shift only kicks in at SaaS.

What actually changes at each level:

• On-prem: infra engineers, a DBA, a Keycloak specialist who can debug a failed rolling upgrade at 2 AM, an SRE to glue it together. A dedicated team.
• IaaS: hardware goes away. Keycloak ops don't. You still need someone who knows what happens to Infinispan sessions during a rolling upgrade.
• Marketplace: day one is magical. Day thirty looks exactly like raw IaaS. The image won't update itself.
• PaaS: less infra to manage. Same Keycloak gotchas. v25 changed Infinispan serialization, your custom SPI still needs a tweak after the upgrade.
• Managed Keycloak / SaaS: team requirement collapses to "someone who understands IAM concepts". Could be a developer.

The right question isn't "what's the best deployment model". It's "what's the best model for the team I have today".

Full breakdown with the team-size implications for each model: https://www.cloud-iam.com/post/keycloak-in-production/