Authenticate Users Through Legacy IAM Without Migration

Enable Keycloak to accept user credentials from existing enterprise IAM systems. This extension provides a secure, session-aware authenticator that communicates with the legacy identity proxy—ensuring backward compatibility and zero-friction login.

Seamless User Login via Legacy Identity Systems

Why It Matters

Enterprise IAM transitions often involve years of embedded legacy systems. Instead of forcing all applications to migrate at once, this authenticator supports:

Parallel IAM operation during migration
Passwordless login via external identity proxy
Progressive user onboarding into Keycloak
Consistent token issuance and session management

By acting as a secure handshake between Keycloak and your legacy IAM, this extension delivers seamless login with minimal risk and maximum continuity.

Bridge Your Old IAM and Keycloak Without Breaking Users

Keycloak communicates with the legacy IAM proxy at login time:

Legacy IAM Authentication Flow

This flow enables "parallel run" without requiring applications to change their login logic.

Example: Keycloak acts as a bridge to your existing identity systems.

Key Components:

Receives username and password via custom login form

Sends credentials to external identity proxy (over HTTPS)

Waits for response and user identity confirmation

Creates or updates Keycloak user profile with attributes

Issues Keycloak access tokens—fully compatible with modern apps

Optionally links existing legacy tokens to the session

Extension Highlights — What Makes It Unique

External Credential Validation

Sends credentials securely to a legacy identity validation endpoint

User Auto-Creation in Keycloak

New users are created automatically upon first successful login

Legacy Token Linking (Optional)

Stores external IAM token or session ID in Keycloak session notes

Customizable Username Field

Supports login with username, TCKN, or custom identifiers

No Password Storage in Keycloak

Passwords never stored—proxy remains source of truth

Full Session Control

Keycloak controls the access token, session state, and logout behavior

Ideal for Parallel Migration

No need to force app-side changes while migrating IAM systems

Frequently Asked Questions

No. Passwords are validated externally. Keycloak never sees or stores them.

Yes. This is the primary use case—enabling gradual migration without disrupting users.

Yes. You can configure token mappers or use session notes to expose selected info.

Yes, as long as your existing system exposes a credential validation API or proxy.

Keycloak creates (or updates) the user profile and issues a standard OIDC token.

How to Use This Extension

Follow these steps to enable the External IAM Login Authenticator.

Implementation Steps

Deploy the external IAM authenticator JAR or image into Keycloak

Configure login flow to include this authenticator

Set up endpoint URL for external IAM proxy in the extension config

Map fields like username, TCKN, or userId for identity binding

Optionally enrich Keycloak tokens with data from external response

Monitor authentication logs and user provisioning via Admin Console

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.