Repository files navigation

Keycloak to Keycloak User Federation.Import users, roles and groups stored in external Keycloak servers without downtime.

Note: this Keycloak extension is provided as anpaid option for every managed keycloak subscriptions onCloud-IAM.

This tutorial will talk about two Keycloak cluster deployments:

• Destination Deployment: a fresh new deployment, without realms, users, roles and groups.

• Source Deployment: a deployment with production workload, contains all the customer current users, roles, groups that we would like to import toDestination Deployment.

Once connected to Cloud-IAM dashboard, select theDestination Deployment that will import all users and upload theimport-keycloak-user-storage.jar custom extension.

Cloud-IAM will then automatically update theDestination Deployment Keycloak nodes.

Export the realm configuration (groups, roles and clients) from theSource Deployment.

InsideDestination Deployment Keycloak console, create a new realm (realms list -> new) and specify in the realm creation form the previously exported realm file.

Destination Deployment now has new realm with the imported groups, roles and clients andno users.

It's now time to setup the continuous import of users fromSource Deployment to ourDestination Deployment.

InDestination Deployment realm, create a new User Federation with ourexternal-keycloak-user-storage provider.

First double check thatSource Deployment database can be accessed fromCloud-IAM Destination Deployment servers.

Contact [Cloud-IAM support](mailto:support@cloud-iam.com) to receive your Keycloak cluster deployment IP addresses list and add them to the database connection allowlist.

Then type theSource Deployment database connection string using the following format:

jdbc:postgresql://{database_ip_address}:{database_port}/{database_name}

Don't forget to also check the realm name to import fromSource Deployment in theOriginal realm input.

TheUser Federation extension is now fully configured and ready to import users fromSource Deployment.

OurSource Deployment has two users in the realm we wish to import, each one has a custom rolemy-role-* attached:

• usernameproduction-user-1 (emailproduction-user-1@plop.com)

  • assigned roles:my-role-1offline_accessuma_authorization

• usernameproduction-user-2 (emailproduction-user-2@plop.com)

  • assigned roles:my-role-2offline_accessuma_authorization

Logging in intoDestination Deploymentproduction realm withproduction-user-1 credentials will automatically import it — along with its assigned groups and roles — fromSource Deployment toDestination Deployment.

Each new user logged will be automatically imported intoDestination Deployment destination realm.

Each user is imported with its roles and groups automatically assigned.

🎉 Congrats, your first user was imported!

• Each new roles and groups created onSource Deploymentafter the realm creation and import onDestination Deployment won't be imported nor assigned to imported users.