Keycloak to Keycloak User Federation. Import users, roles and groups stored in external Keycloak servers without downtime.

Note: this Keycloak extension is provided as an paid option for every managed keycloak subscriptions on Cloud-IAM.

This tutorial will talk about two Keycloak cluster deployments:

• Destination Deployment: a fresh new deployment, without realms, users, roles and groups.

• Source Deployment: a deployment with production workload, contains all the customer current users, roles, groups that we would like to import to Destination Deployment.

Once connected to Cloud-IAM dashboard, select the Destination Deployment that will import all users and upload the import-keycloak-user-storage.jar custom extension.

Cloud-IAM will then automatically update the Destination Deployment Keycloak nodes.

Export the realm configuration (groups, roles and clients) from the Source Deployment.

Inside Destination Deployment Keycloak console, create a new realm (realms list -> new) and specify in the realm creation form the previously exported realm file.

Destination Deployment now has new realm with the imported groups, roles and clients and no users.

It's now time to setup the continuous import of users from Source Deployment to our Destination Deployment.

In Destination Deployment realm, create a new User Federation with our external-keycloak-user-storage provider.

First double check that Source Deployment database can be accessed from Cloud-IAM Destination Deployment servers.

Contact [Cloud-IAM support](mailto:[email protected]) to receive your Keycloak cluster deployment IP addresses list and add them to the database connection allowlist.

Then type the Source Deployment database connection string using the following format:

jdbc:postgresql://{database_ip_address}:{database_port}/{database_name}

Don't forget to also check the realm name to import from Source Deployment in the Original realm input.

The User Federation extension is now fully configured and ready to import users from Source Deployment.

Our Source Deployment has two users in the realm we wish to import, each one has a custom role my-role-* attached:

• username production-user-1 (email [email protected])

  • assigned roles: my-role-1 offline_access uma_authorization

• username production-user-2 (email [email protected])

  • assigned roles: my-role-2 offline_access uma_authorization

Logging in into Destination Deployment production realm with production-user-1 credentials will automatically import it — along with its assigned groups and roles — from Source Deployment to Destination Deployment.

Each new user logged will be automatically imported into Destination Deployment destination realm.

Each user is imported with its roles and groups automatically assigned.

🎉 Congrats, your first user was imported!

• Each new roles and groups created on Source Deployment after the realm creation and import on Destination Deployment won't be imported nor assigned to imported users.