Keycloak is an open source and easy way (it boasts 'no code') Identity and Access Management. It works with 'single sign on' (SSO) too, which is the main reason I am investigating it.

For SSO users authenticate with keycloak and it handles things from there, so no login forms and validation code. It can also bridge with Kerberos (LDAP or AD), so once they have logged in on their workstation they will be authenticated automatically.

Nomenclature

Realm
A case sensitive name given to a particular domain or area where you will be issued a challenge. This means there could be a page or group of pages where credentials are needed. It comes from the Latin 'regimen' meaning 'government'

I first went to keycloak getting started tutorials. I used the latest Docker container (https://hub.docker.com/r/jboss/keycloak/) instead of installing locally.

Run with:

docker run -p 8080:8080 -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> jboss/keycloak  

Then continue the tutorial at http://localhost:8080/auth.