Following the merger of multiple companies, the organization faced a critical challenge: fragmented authentication across different products - Verity, CampusIvy, and CourseKey - each using independent internal systems.
This led to:

• Poor user experience
• Increased support overhead
• Security inconsistencies

To address this, the organization needed a single, centralized authentication system that could:

• Scale to support over 1 million users
• Be cost-effective in the long run
• Offer full control over SSO workflows

Two options were evaluated:

• AWS Cognito: A managed service with a high recurring cost
• Keycloak: An open-source, self-managed IDP offering greater customization and control

After a careful cost-benefit analysis and feature comparison, Keycloak was chosen as the Identity Provider (IDP) to build a scalable Single Sign-On (SSO) system.

The implementation was strategically planned across multiple phases to balance speed, cost, and risk mitigation:

1. Cloud-Native Infrastructure Setup:
   • Provisioned Keycloak instances using AWS ECS Fargate for containerized orchestration.
   • Deployed Aurora MySQL Serverless as the Keycloak database backend.
   • Integrated Amazon SES for email delivery.
   • Implemented Application Load Balancer (ALB) for high availability and scaling.
   • Managed DNS through Route53.
   • All infrastructure was deployed using Terraform (IaC) ensuring repeatability and scalability.
2. Keycloak Customizations:
   • Email Notification SPI: Developed a Service Provider Interface (SPI) that listens to user creation and credential reset events, automatically sending password reset emails—functionality not natively supported by Keycloak.
   • Theming: Built custom light and dark themes to provide a branded, modern user interface for authentication portals.
3. Load Testing and Scalability Validation:
   • Conducted performance testing using Apache JMeter with the following scenarios:
     • 20,000 logins within 5 minutes
     • Ramp-up from 1,000 to 20,000 concurrent users
     • Peak load of 500 users per second
   • Achieved these targets with a setup of two Fargate containers, each provisioned with 2 vCPUs and 2 GB RAM.
4. Protocol Support:
   • Integrated with systems using both OpenID Connect (OIDC) and SAML, ensuring flexibility for future integrations.
5. Initial Rollout:
   • Successfully onboarded three primary systems (two via OIDC and one via SAML).
   • Planned onboarding of 16–18 additional systems onto the unified SSO platform.

The resulting architecture delivers a highly scalable, cloud-native Single Sign-On (SSO) solution built on Keycloak, with key highlights including:

• Serverless, cost-optimized database (Aurora MySQL Serverless)
• Containerized Keycloak deployment with horizontal scalability (ECS + ALB)
• Custom event-driven email notifications for user onboarding and credential management
• Centralized identity management supporting OIDC and SAML clients
• Full Infrastructure as Code (IaC) deployment for consistent environment creation
• Branded authentication experiences with custom theming