Amazon Web Services Solutions Library

Keycloak on Amazon Web Services

What does this Amazon Web Services Solution do?

This solution allows you to quickly deploy a Keycloak cluster on Amazon Web Services Cloud. Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services. Providing a customizable user interface, Keycloak supports use cases such as Single Sign-On (SSO), user registration, user federation, etc. It strives to conform to standard protocols such as OpenID Connect, OAuth 2.0 and SAML 2.0. Customers can configure Keycloak to integrate with Active Directory and LDAP. You can also setup Keycloak to delegate authentication to third-party identity providers.

Amazon Web Services Solution overview

The following diagram shows the architecture diagram of this solution. You can use the deployment guide and the Amazon CloudFormation template for automated deployment.

Architecture of Serverless Image Handler

Keycloak on Amazon Web Services

A highly available architecture that spans two Availability Zones.
An Amazon Virtual Private Cloud (Amazon VPC) configured with public and private subnets, according to Amazon best practices, to provide you with your own virtual network on Amazon Web Services.
In the public subnets, managed Network Address Translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
In the private subnets:
- Amazon Elastic Container Service (Amazon ECS) tasks running with Amazon Fargate behind the Application Load Balancer.
- Amazon Aurora Serverless MySQL-Compatible database cluster or Amazon Aurora MySQL-Compatible cluster.
IAM role for the Amazon ECS service.
Secrets from Amazon Secrets Manager for Keycloak console login and database connection.
Amazon Certificate Manager (ACM), which uses your existing certificate for the custom domain name on the Application Load Balancer.
Amazon Route 53 alias record, which is required for the custom domain name.

Show less

Keycloak on Amazon Web Services

Version 2.1.0
Last updated: 07/2022
Author: Amazon Web Services

Estimated deployment time: 30 min

Source code

View implementation guide

Launch solution in the existing VPC using Amazon Aurora Serverless MySQL-Compatible as Database (China Regions)

Launch solution in new VPC using Amazon Aurora Serverless MySQL-Compatible as Database (China Regions)

Launch solution in the existing VPC using Amazon Aurora MySQL-Compatible as Database (China Regions)

Launch solution in new VPC using Amazon Aurora MySQL-Compatible as Database (China Regions)

Launch solution in the existing VPC using Amazon Aurora Serverless MySQL-Compatible as Database (Global Regions)

Launch solution in new VPC using Amazon Aurora Serverless MySQL-Compatible as Database (Global Regions)

Launch solution in the existing VPC using Amazon Aurora MySQL-Compatible as Database (Global Regions)

Launch solution in new VPC using Amazon Aurora MySQL-Compatible as Database (Global Regions)

Features

Standard protocols

Keycloak supports OpenID Connect, OAuth 2.0 and SAML 2.0 standard protocols.

Integration with different services

Customers can configure Keycloak to integrate with Active Directory and LDAP. Customers can also setup Keycloak to delegate authentication to third-party identity providers.

Automatic deployment

Customers can “1-click” launch Keycloak via CloudFormation template. Amazon CloudFormation will automatically setup Amazon Web Services resources required for this solution.