I was halfway through making a new post about this when I realised I was basically duplicating your work @wouter. Thank you for starting this! I wonder if it’s worth adding “SSO” to the title to make clear that this is the place to discuss it.
One thing I wanted to add to the “pain points” is that operational members need at least 4 sets of credentials per person: Discourse, Nextcloud, Greenlight (possibly ×2), and Kimai.
And, on the technical platform, I thought it would be helpful to drop in the earlier thoughts from the tech circle:
As a post-script, Autonomic uses Keycloak and it’s OK but I share @unteem’s concerns with the UI.
Nextcloud also now does support OIDC so maybe hyda is a better solution, although it doesn’t sound like any of us has personal experience with it.
Last I checked a couple of months ago, Kimai doesn’t support any SSO protocols (LDAP, SAML, or OIDC) and the only option for login integration is LDAP – but I don’t think that should hold us up.
Autonomic could potentially help with implementation, especially if any budget can be allocated to this work.