Bidirectional Session Sync Between IAM Systems

Ensure session consistency between legacy and modern IAM platforms. The Session Sync SPI listens for login, logout, and token events and propagates them across systems—supporting parallel run strategies and hybrid environments.

Real-Time Session Synchronization Across IAM Systems

Why It Matters

In large enterprises, modern IAM platforms often need to coexist with legacy identity systems during migration. This creates challenges in session state consistency: • Logging out in one system doesn't affect the other • Token revocation doesn't propagate • Session duration and concurrency policies diverge. With Session Sync SPI, you can:

Key Components:

Mirror session states across IAM systems in real time

Prevent access inconsistencies in hybrid login setups

Enable seamless parallel run during gradual migration

Enforce centralized session policies from either end

Parallel Session State Between Old and New IAM Systems

A user logs in via the legacy IAM (e.g., legacy or custom platform)

Session Sync Flow

Use Cases Include: • Token revocation propagation • Session expiry alignment • Forced logout enforcement • Coordinated impersonation or delegation teardown

Key Components:

Keymate receives this via token exchange and creates a mirrored Keycloak session

If the user logs out in either system, the Session Sync SPI triggers a bidirectional sync

Revoked tokens, delegated sessions, or session notes updates are mirrored

Observability and audit logging track both sides of the sync

Extension Highlights — What Makes It Unique

Bidirectional Sync Support

Syncs both login and logout events across IAM systems

Parallel Run Compatibility

Fully compatible with gradual IAM migrations

Token State Mirroring

Reflects token revocation and refresh events

Legacy System Hooks

Customizable connectors for external session APIs

Delegation-Aware Sync

Ensures delegated or elevated sessions are terminated consistently

Observability Ready

Events are traceable via OpenTelemetry and Signoz dashboards

Frequently Asked Questions

No, it complements token federation by syncing full session state, not just authentication.

No. It supports pluggable connectors and can be integrated with any IAM that exposes session APIs.

Fallback logs the incident; policy may retry, alert, or log only. Failure tolerance is configurable.

Not mandatory, but highly recommended for zero-downtime, application-by-application migration strategies.

How to Use This Extension

Implementation Steps

Install the Session Sync SPI into your Keycloak deployment

Configure external system session endpoints (e.g., legacy IAM logout URLs)

Set mapping rules: login, logout, token events

Enable bidirectional or unidirectional sync mode

Monitor sync health via observability dashboards

Optionally integrate with token exchange logic for seamless flow

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.