Skip to content

Migrating to Cloud-IAM

When migrating for a self-hosted Keycloak version to Cloud-IAM fully managed version most customers need to export their full Keycloak configuration including realm configuration, users, client configurations, user federation and so on.

Depending on the database size, customization, extensions, existing infrastructure, several options are possible.

Keycloak export as JSON

This option is suitable for small deployment that tolerates a data freeze for a few hours. This process is slow and can not be used for large database. However the customer is completely autonomous to handle the process.

It is based on the Keycloak built-in feature to export the whole Keycloak configuration in Json file. Those files can be imported in the Keycloak console.

Once imported, the customer can simply switch the application to point directly to the freshly populated Cloud-IAM deployment (easier with a DNS indirection).

1 - Create an export on self-hosted Keycloak deployment

On customer's self-hosted deployment use the Keycloak full export feature to export all your data inside a single file.

2 - Import exported file into the Keycloak Console of a Cloud-IAM deployment

  • Go to Cloud-IAM's Dashboard
  • Select the Keycloak deployment
  • Open Keycloak console
  • Click on "Import" (from the sidebar)
  • Keycloak console might display "Partial import" as a title but in fact it will also able to execute a full import based on the previously exported file
  • Select the file
  • Click on "Import"
  • Welcome to Cloud-IAM

TIP

Script upload is disabled Keycloak error when imported

When importing a previous export, Keycloak console might display — depending on the customer's Keycloak version — a Script upload is disabled error. This can be fixed activating the "Write custom authenticators using JavaScript" in the configuration tab from Cloud-IAM's dashboard.

Database dump

This option is suitable for large deployments that tolerates a data freeze for an hour. This process is relatively fast and can be used for large database. Cloud-IAM can only import postgresql database dump. This require action from the Cloud-IAM support team and must be scheduled therefore it is billed to the customer. Please contact the support team to have more details.

Regular database dump must be encrypted with the Cloud-IAM GPG key and transferred. The deployment is stopped during the import and then restarted.

Once imported, the customer can simply switch the application to point directly to the freshly populated Cloud-IAM deployment (easier with a DNS indirection).

Progressive import

This option is suitable for large deployments that does not tolerate any downtime. This process migrates the end-users when they actually login. The migration last until all the users have logged-in once.

The Cloud-IAM deployment is configured to use the legacy Keycloak database as user federation. With an additional custom extension provided by Cloud-IAM, the data are migrated in the new deployment.

This require actions from the Cloud-IAM support team, therefore it is billed to the customer. Please contact the support team to have more details.

Will I be able to bring back Keycloak to my infrastructure later?

There is no vendor lock-in with Cloud-IAM and there will never be. We provide unrestricted access to production-ready Keycloak environments.

You can completely test or do a PoC to increase your skills on Cloud-IAM and if you want your data back in your infrastructure, they will be integrable without problem.

We believe you will stay with us — like our other happy customers — because you won't be able to have our level of operation and reliability if you bring back Keycloak to your own infrastructure with your own Ops team.