Migrate to Cloud-IAM

From On-Promised Keycloak

When migrating for a self-hosted Keycloak version to Cloud-IAM fully managed version most customers need to export their full Keycloak configuration including realm configuration, users, client configurations, user federation and so on.

Depending on the database size, customization, extensions, existing infrastructure, several options are possible.

Keycloak export as JSON

This option is suitable for small deployment that tolerates a data freeze for a few hours. This process is slow and can not be used for large database. However the customer is completely autonomous to handle the process.

It is based on the Keycloak built-in feature to export the whole Keycloak configuration in Json file. Those files can be imported in the Keycloak console.

Once imported, the customer can simply switch the application to point directly to the freshly populated Cloud-IAM deployment (easier with a DNS indirection).

1 - Create an export on self-hosted Keycloak deployment

On customer's self-hosted deployment use the Keycloak full export feature to export all your data inside a single file.

2 - Import exported file into the Keycloak Console of a Cloud-IAM deployment

Go to Cloud-IAM's Dashboard
Select the Keycloak deployment
Open Keycloak console
Click on "Import" (from the sidebar)
Keycloak console might display "Partial import" as a title but in fact it will also able to execute a full import based on the previously exported file
Select the file
Click on "Import"
Welcome to Cloud-IAM

TIP

Script upload is disabled Keycloak error when imported

When importing a previous export, Keycloak console might display — depending on the customer's Keycloak version — a Script upload is disabled error. This can be fixed activating the "Write custom authenticators using JavaScript" in the configuration tab from Cloud-IAM's dashboard.

Database dump

This option is suitable for large deployments that tolerates a data freeze for an hour. This process is relatively fast and can be used for large database. Cloud-IAM can only import postgresql database dump. This require action from the Cloud-IAM support team and must be scheduled therefore it is billed to the customer. Please contact the support team to have more details.

Regular database dump must be encrypted with the Cloud-IAM GPG key and transferred. The deployment is stopped during the import and then restarted.

Once imported, the customer can simply switch the application to point directly to the freshly populated Cloud-IAM deployment (easier with a DNS indirection).

Progressive import

This option is suitable for large deployments that does not tolerate any downtime. This process migrates the end-users when they actually login. The migration last until all the users have logged-in once.

The Cloud-IAM deployment is configured to use the legacy Keycloak database as user federation. With an additional custom extension provided by Cloud-IAM, the data are migrated in the new deployment.

This require actions from the Cloud-IAM support team, therefore it is billed to the customer. Please contact the support team to have more details.

Migrate to Cloud-IAM ​

From On-Promised Keycloak ​

Keycloak export as JSON ​

1 - Create an export on self-hosted Keycloak deployment ​

2 - Import exported file into the Keycloak Console of a Cloud-IAM deployment ​

Database dump ​

Progressive import ​