I have been using keycloak as my identity management solution for a couple of years now, and I have yet to see a different OSS solution that might make me consider a change.

In integration testing, staging and production systems, I am using a keycloak docker container with a postgresql companion container holding the data. While the keycloak admin console does offer export/import functionality to a certain extent, it is limited: users cannot be exported, neither can secrets (passwords etc.). There is however a keycloak-provided way of accomplishing this.

When starting up, keycloak checks for a bunch of system properties that control migration actions, export and import in particular. The following settings will make keycloak export all realms, client and user settings inclusive of their passwords:

-Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/export/kcdump.json

Upon the next start-up, keycloak will write all details out to a file named /export/kcdump.json (in this example). There is also an alternative where you can have keycloak write a separate file per realm and another separate file for the users in a realm. If that's what you want (my favorite), you will have to go with the dir provider instead of the singleFile option, and you'll have to configure a directory name rather than a file name. This is how it looks like:

-Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=dir
-Dkeycloak.migration.dir=/export

That way, you will end up with files master-realm.json, master-users-0.json, someother-realm.json, someother-users-0.json (if e.g. you have two realms named master and someother).

The process of importing from above json files into a fresh keycloak database will most likely not surprise you:

-Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/export/kcdump.json
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

I think this an elegant way to "clone" a setup. Furthermore: json files are good candidates to be customized using an automated deployment tool such as e.g. Ansible. That's what I ususally do: I create jinja2 templates from the json realm definitions, customize them by injecting the variable values I need and then spin up a keycloak container that imports the customized files into the database. The official keycloak documentation for this feature can be found here: https://www.keycloak.org/docs/6.0/server_admin/#_export_import.