Case: Keycloak domain mode cluster

The client wanted to migrate more and more of internal and SaaS services to Keycloak but was worried about the lack of high-availability in standalone Keycloak. We created Keycloak domain mode clusters for them and integrated them with their FreeIPA Linux domain. This allowed the customer to start using Keycloak authentication for critical services like AWS and Slack - with help from us.

Main technologies





High availability

Centralized authentication



4 Keycloak instances

2 domain mode clusters

4 FreeIPA masters

1 Starting point

The client had a single-node standalone Keycloak instance running. While it worked well, the client was blocked from integrating critical services such as AWS or Slack as it lacked high availability.

2 Project

We started by developing and testing automation code for managing Keycloak domain-mode clusters in a testing environment. Once all worked well, we deployed a staging Keycloak domain mode cluster and integrated it with the client's FreeIPA cluster. Once the staging environment was working, we deployed the production domain mode cluster. As the final step we migrated away from the original Keycloak standalone instance. This was easy as Keycloak configurations were all defined as infrastructure code.

3 End result

The Keycloak domain mode cluster enabled the client to start using Keycloak as the authentication and authorization backend for critical services such as AWS and Slack. They used the staging Keycloak domain mode cluster for testing new Keycloak configurations and for integration of new services into Keycloak. Once the testing procedure was complete the same configuration could be trivially deployed to production.
"Puppeteers helped us resolve our Red Hat Enterprise Linux issue. I'm looking forward to upgrading and improving our clients' production environments and our development setups with their help."
Aarre Pohjola
A&A Consulting Oy, Finland