Keycloak has some learning curve, but it’s the best OpenID Connect client and the most configurable and feature rich open source SSO system with the fewest major issues that I’ve used. And I use traefik for a reverse proxy, so for things that don’t support SSO directly thomseddon/traefik-forward-auth works flawlessly with Keycloak to provide an auth layer to those apps.