Following the merger of multiple companies, the organization faced a critical challenge: fragmented authentication across different products - Verity, CampusIvy, and CourseKey - each using independent internal systems. This led to:

• Poor user experience

• Increased support overhead

• Security inconsistencies

To address this, the organization needed a single, centralized authentication system that could:

• Scale to support over 1 million users

• Be cost-effective in the long run

• Offer full control over SSO workflows

Two options were evaluated:

• AWS Cognito: A managed service with a high recurring cost

• Keycloak: An open-source, self-managed IDP offering greater customization and control

After a careful cost-benefit analysis and feature comparison, Keycloak was chosen as the Identity Provider (IDP) to build a scalable Single Sign-On (SSO) system.

The implementation was strategically planned across multiple phases to balance speed, cost, and risk mitigation:

1. Cloud-Native Infrastructure Setup:

   • Provisioned Keycloak instances using AWS ECS Fargate for containerized orchestration.

   • Deployed Aurora MySQL Serverless as the Keycloak database backend.

   • Integrated Amazon SES for email delivery.

   • Implemented Application Load Balancer (ALB) for high availability and scaling.

   • Managed DNS through Route53.

   • All infrastructure was deployed using Terraform (IaC) ensuring repeatability and scalability.

2. Keycloak Customizations:

   • Email Notification SPI: Developed a Service Provider Interface (SPI) that listens to user creation and credential reset events, automatically sending password reset emails—functionality not natively supported by Keycloak.

   • Theming: Built custom light and dark themes to provide a branded, modern user interface for authentication portals.

3. Load Testing and Scalability Validation:

   • Conducted performance testing using Apache JMeter with the following scenarios:

     • 20,000 logins within 5 minutes

     • Ramp-up from 1,000 to 20,000 concurrent users

     • Peak load of 500 users per second

   • Achieved these targets with a setup of two Fargate containers, each provisioned with 2 vCPUs and 2 GB RAM.

4. Protocol Support:

   • Integrated with systems using both OpenID Connect (OIDC) and SAML, ensuring flexibility for future integrations.

5. Initial Rollout:

   • Successfully onboarded three primary systems (two via OIDC and one via SAML).

   • Planned onboarding of 16–18 additional systems onto the unified SSO platform.

The resulting architecture delivers a highly scalable, cloud-native Single Sign-On (SSO) solution built on Keycloak, with key highlights including:

• Serverless, cost-optimized database (Aurora MySQL Serverless)

• Containerized Keycloak deployment with horizontal scalability (ECS + ALB)

• Custom event-driven email notifications for user onboarding and credential management

• Centralized identity management supporting OIDC and SAML clients

• Full Infrastructure as Code (IaC) deployment for consistent environment creation

• Branded authentication experiences with custom theming