B2B SaaS launching this quarter → WorkOS AuthKit. Speed wins. B2B SaaS at 30+ enterprise customers → Stack Auth (cloud or self-host). Regulated / EU / on-prem → Keycloak self-host. Greenfield with no enterprise customers yet → start on Better Auth or Stack Auth; layer in WorkOS only for the first SSO contract if you want zero ops.

WorkOS AuthKit vs Stack Auth vs Keycloak: B2B SaaS SSO Boilerplate Choice 2026

Q: What B2B Auth Actually Needs?

The line between "user auth" and "B2B auth" is usually: Organizations — the unit of billing and access. Roles + permissions within an org. Invitations for new members. SSO so the customer's IT team can plug their IdP (Okta, Azure AD, Google Workspace). SCIM so the IdP can provision and deprovision users automatically. Audit log of admin actions. A consumer auth library covers the first three. Enterprise customers expect the last three on day one of negotiation.

Quick Verdict

For a B2B SaaS boilerplate that has to handle SSO, SCIM, and team management in 2026:

WorkOS AuthKit — easiest path to "enterprise-ready in a week." Free up to 1M MAU; SSO/SCIM/Directory Sync charged per connected enterprise. The default for fast B2B launches.
Stack Auth — open-source alternative to Clerk/WorkOS. Self-hostable, ships organizations, RBAC, magic links, OAuth, passkeys. The default for "we want enterprise auth without per-customer billing."
Keycloak — battle-tested OSS identity platform. Heavier to operate but the strongest customization and standards compliance. Default for regulated, EU, or on-premise deployments.

For a typical B2B SaaS boilerplate launch in 2026: WorkOS AuthKit for speed, Stack Auth if you want open-source and to avoid per-org pricing, Keycloak when compliance dictates.

Key Takeaways

All three handle SSO (OIDC/SAML), most handle SCIM provisioning.
WorkOS is hosted-only; Stack Auth is hosted or self-hosted; Keycloak is self-hosted (commercial cloud variants exist).
Per-enterprise-customer pricing is the differentiator — WorkOS bills per active SSO connection; Stack Auth and Keycloak don't.
The "hosted Clerk replacement" lane is now contested — see the Clerk vs Auth0 vs WorkOS comparison for the broader hosted picture.

Decision Table

Scenario	Pick
B2B SaaS launching MVP this quarter, 0–10 enterprise customers	WorkOS AuthKit
B2B SaaS at 50+ enterprise customers, SSO bill is climbing	Stack Auth
EU / regulated, must keep auth on-prem	Keycloak
Need standards-grade OIDC + SAML provider for many client apps	Keycloak
Want a Clerk-shaped UX without Clerk's pricing	Stack Auth
Healthcare / HIPAA boilerplate	Keycloak self-host

What B2B Auth Actually Needs

The line between "user auth" and "B2B auth" is usually:

Organizations — the unit of billing and access.
Roles + permissions within an org.
Invitations for new members.
SSO so the customer's IT team can plug their IdP (Okta, Azure AD, Google Workspace).
SCIM so the IdP can provision and deprovision users automatically.
Audit log of admin actions.

A consumer auth library covers the first three. Enterprise customers expect the last three on day one of negotiation.

WorkOS AuthKit

Pricing: Free up to 1M MAU. Add-ons: $125/mo per enterprise SSO connection, plus Directory Sync (SCIM) per connected directory. Audit Logs, MFA, and Magic Auth are included.

Fit: B2B SaaS boilerplates that need enterprise readiness without operating identity infrastructure. Pairs naturally with the most popular Next.js premium boilerplates.

What you get:

AuthKit — drop-in hosted login UI (configurable, self-styled).
SSO (SAML 2.0, OIDC), Directory Sync (SCIM 2.0), Magic Auth, MFA, OAuth providers.
Organizations API — orgs, members, roles, invitations.
Audit Logs (CEF/JSON), Admin Portal (your customers configure their own SSO).
React, Next.js, Remix, Vue, Astro SDKs.

// Next.js middleware
import { authkitMiddleware } from '@workos-inc/authkit-nextjs';

export const middleware = authkitMiddleware({
  middlewareAuth: { enabled: true, unauthenticatedPaths: ['/'] },
});

Where it bites:

Hosted-only — no self-host story.
Per-SSO-connection pricing means the bill grows with enterprise customer count. At 20 customers, this is meaningful.
Customization of the login UI improved in 2025 but is still less flexible than fully owning it.

Stack Auth

Pricing: Open-source MIT. Stack Auth Cloud is a hosted free tier with paid scaling. No per-organization or per-SSO surcharge.

Fit: B2B SaaS that wants an open-source, ownable, Clerk-shaped auth platform. Boilerplates that target indie B2B and don't want per-org bills.

What you get:

Pre-built React UI (<SignIn />, <UserButton />, <TeamSwitcher />, etc.).
Organizations / Teams + roles + invitations.
OAuth (Google, GitHub, Microsoft, etc.), magic links, passkeys, MFA.
Server-side admin SDK in Node, Python.
OIDC and SAML SSO support with the open-source self-host being a key differentiator.
Webhooks for user/org events.

// app/handler/[...stack]/page.tsx
import { StackHandler } from '@stackframe/stack';
import { stackServerApp } from '@/stack';

export default function Handler(props: any) {
  return <StackHandler fullPage app={stackServerApp} {...props} />;
}

Where it bites:

Younger ecosystem; fewer tutorials and Stack Overflow answers.
SCIM / Directory Sync not as polished as WorkOS' offering.
Self-host runs Postgres + the Stack Auth server; modest but real ops.

Keycloak

Pricing: Open-source Apache 2.0. Keycloak Cloud (Cloud-IAM, Phase Two, etc.) is community-managed.

Fit: Enterprise, regulated, and large-scale B2B SaaS. Apps that integrate with multiple downstream services and need a true OIDC/SAML provider. The right pick when "self-hosted identity" is a contractual requirement.

What you get:

Full OIDC + SAML provider with token customization.
SSO from any IdP, brokered to your apps.
User federation (LDAP, Active Directory).
Role-based and attribute-based access control with fine-grained policies.
Themes for fully customizable login UIs.
Multi-realm support (effectively multi-tenant identity).

Where it bites:

The heaviest operational footprint of the three. Postgres + Keycloak server + horizontal scale + cache (Infinispan) when you grow.
Java stack — most JS/TS boilerplate teams hire dedicated SRE for production deployments.
The default UI is dated; theming requires effort.
Documentation is comprehensive but not friendly.

Programming Model Comparison

Capability	WorkOS AuthKit	Stack Auth	Keycloak
Hosted	✅ Only	✅ + Self-host	Community Cloud
Self-host	❌	✅	✅
Pre-built UI	Limited custom	Full React kit	Themable
Organizations	✅ Native	✅ Native	Realms / Groups
SSO (SAML)	✅	✅	✅ Best in class
SCIM	✅	Partial	✅
OAuth providers	✅	✅	✅
Passkeys	✅	✅	✅
Audit log	✅	✅ Webhooks	✅ Native
Per-org pricing	✅ Yes	No	No

Cost at B2B SaaS Scale

A B2B SaaS with 20 enterprise customers all using SSO + SCIM:

WorkOS: 20 × ~$125 = ~$2,500/mo for SSO connections (+ SCIM add-on per directory).
Stack Auth Cloud: pricing scales with MAU, not orgs — typically $200–500/mo at this scale.
Stack Auth self-host: ~$30–60/mo infra.
Keycloak self-host: ~$60–150/mo infra (Postgres + Keycloak + replicas) + your engineering time.

Per-customer pricing matters. A boilerplate that ships WorkOS by default is great until customer 30 — at which point the math flips. Many teams migrate off Clerk for similar reasons; the same logic applies to WorkOS at scale.

Boilerplate Adoption

Boilerplate	Default auth
Most premium Next.js boilerplates	Clerk, NextAuth, or Supabase Auth
Enterprise-targeted boilerplates	WorkOS AuthKit
Self-hosted-first boilerplates	Stack Auth or Better Auth
Java / Spring boilerplates	Keycloak
Multi-tenant B2B starters	Increasingly Stack Auth + Better Auth

For the hosted alternative comparison, see Clerk vs Auth0 vs WorkOS.

Implementation Profile

Concern	WorkOS	Stack Auth	Keycloak
Time to first SSO customer	~1 day	~3 days	~1–2 weeks
Custom user model	Limited	Easy	Possible but heavy
Customer-facing admin portal	Built-in	Build it	Build it
Provisioning / SCIM	Built-in	Partial	Configure with effort

WorkOS' Admin Portal is genuinely a differentiator — your enterprise customer's IT lead self-serves their SSO setup, no support ticket. Building the equivalent on Stack Auth or Keycloak is a project.

Multi-tenancy Patterns

The three handle multi-tenancy differently:

WorkOS: organizations are first-class objects; you scope by organization_id from the session.
Stack Auth: teams are first-class; same pattern.
Keycloak: realms (per-tenant identity boundary) or groups within a realm. Realm-per-tenant doesn't scale beyond ~50 tenants.

For broader patterns, see multi-tenancy patterns for SaaS and the multi-tenancy buyer's guide.

What to Pick

B2B SaaS launching this quarter → WorkOS AuthKit. Speed wins.
B2B SaaS at 30+ enterprise customers → Stack Auth (cloud or self-host).
Regulated / EU / on-prem → Keycloak self-host.
Greenfield with no enterprise customers yet → start on Better Auth or Stack Auth; layer in WorkOS only for the first SSO contract if you want zero ops.

Migration Notes

Clerk → WorkOS: the user export model is straightforward; SSO flows differ. Plan a maintenance window.
WorkOS → Stack Auth: doable but requires user data export and password-reset triggers (passwords aren't portable).
Anything → Keycloak: usually a rebuild, not a migration. Realm import tools help if your source is OIDC-compliant.

FAQ

Can I run WorkOS on top of my own user database? Yes — WorkOS doesn't insist on owning your user records; their SDKs support a "JWT signed by us, you store the user" pattern.

Does Keycloak support passkeys? Yes, since Keycloak 24+. WebAuthn is first-class.

Can Stack Auth work with my existing Better Auth setup? No — they overlap. Pick one auth platform per app.

SCIM is a hard ask — is it worth shipping early? For B2B selling above $50k ACV, SCIM is usually a deal blocker once they reach IT review. WorkOS makes it cheapest to ship early; Stack Auth and Keycloak require more configuration.

For the full hosted-auth landscape, see Clerk vs Auth0 vs WorkOS and the Better Auth migration guide.

The SaaS Boilerplate Matrix (Free PDF)