Migrate to Cloud-IAM
From On-Promised Keycloak
When migrating for a self-hosted Keycloak version to Cloud-IAM fully managed version most customers need to export their full Keycloak configuration including realm configuration, users, client configurations, user federation and so on.
Depending on the database size, customization, extensions, existing infrastructure, several options are possible.
Keycloak export as JSON
This option is suitable for small deployment that tolerates a data freeze for a few hours. This process is slow and can not be used for large database. However the customer is completely autonomous to handle the process.
It is based on the Keycloak built-in feature to export the whole Keycloak configuration in Json file. Those files can be imported in the Keycloak console.
Once imported, the customer can simply switch the application to point directly to the freshly populated Cloud-IAM deployment (easier with a DNS indirection).
1 - Create an export on self-hosted Keycloak deployment
On customer's self-hosted deployment use the Keycloak full export feature to export all your data inside a single file.
2 - Import exported file into the Keycloak Console of a Cloud-IAM deployment
- Go to Cloud-IAM's Dashboard
- Select the Keycloak deployment
- Open Keycloak console
- Click on "Import" (from the sidebar)
- Keycloak console might display "Partial import" as a title but in fact it will also able to execute a full import based on the previously exported file
- Select the file
- Click on "Import"
- Welcome to Cloud-IAM
TIP
Script upload is disabled
Keycloak error when imported
When importing a previous export, Keycloak console might display — depending on the customer's Keycloak version — a Script upload is disabled
error. This can be fixed activating the "Write custom authenticators using JavaScript" in the configuration tab
from Cloud-IAM's dashboard.
Database dump
This option is suitable for large deployments that tolerates a data freeze for an hour. This process is relatively fast and can be used for large database. Cloud-IAM can only import postgresql database dump. This require action from the Cloud-IAM support team and must be scheduled therefore it is billed to the customer. Please contact the support team to have more details.
Regular database dump must be encrypted with the Cloud-IAM GPG key and transferred. The deployment is stopped during the import and then restarted.
Once imported, the customer can simply switch the application to point directly to the freshly populated Cloud-IAM deployment (easier with a DNS indirection).
Progressive import
This option is suitable for large deployments that does not tolerate any downtime. This process migrates the end-users when they actually login. The migration last until all the users have logged-in once.
The Cloud-IAM deployment is configured to use the legacy Keycloak database as user federation. With an additional custom extension provided by Cloud-IAM, the data are migrated in the new deployment.
This require actions from the Cloud-IAM support team, therefore it is billed to the customer. Please contact the support team to have more details.