Before we move on to migration details, let’s first define the two solutions we’ll talk about in this article: Oracle Access Management and Keycloak.
Oracle Identity and Access Management is a collection of products that enable management and automation of the user identity lifecycle and provide users with access to enterprise resources. Oracle IAM consists of 2 main components:
Oracle IAM offers support for both on-premise and cloud environments, but in the following article, we will focus on the on-premise variant, the last version of which was 12c (12.2.1.4.0), released in 2019. Moving to OCI (Oracle Cloud Infrastructure) is the go-to choice for many companies that use an old, on-premise version of Oracle IAM, but there are some cases when Keycloak can be a better option.
Keycloak is an open-source identity and access management system with authentication and user management features. Due to the system’s openness, the list of its functionalities is somewhat unlimited – you can expand its main core with dedicated extensions (plugins). You can learn more about this technology in our Keycloak SSO – advantages of Single Sign-On and a ready-made access management system article.
Category | Oracle IAM | Keycloak |
Type | Commercial solution | Open source (developed by Red Hat) |
Pricing model | License fee | Free (costs incurred by infrastructure, implementation, customization and support) |
Main features (SSO, MFA) | Yes | Yes, with the option of configuration or writing your own implementation |
Integrations | Integrations with other Oracle products and external systems | Several ready-made integrations; can be expanded with any integration |
Support | Technical support offered by Oracle | Mainly social support; commercial support available from Red Hat |
Customization | Limited compared to Keycloak | High level of customization |
There are two main scenarios when moving from Oracle IAM to Keycloak is a good option:
The key point during analysis and planning in the entire user migration process is the choice of migration strategy between mass and Just-In-Time (JIT). A detailed description of these 2 strategies is available in our Okta vs. Keycloak comparison article. In this scenario, we’ll focus on a JIT migration using the Keycloak functionality of user federation.
Step 1– Analysis and planning
Step 2 – Communication with users
Step 3 – Installing and configuring Keycloak
Step 4 – Testing
Step 5 – Application update and configuration
For your convenience, here’s a ready-made diagram visualizing the log-in sequence in Keycloak.
Additionally, if your applications were hosted on Oracle WebLogic Server and you plan to move away from that platform, you will need to migrate them to your chosen hosting platform or application server. The migration process can be carried out in parallel with the IAM migration or as a separate project after switching to Keycloak.
In theory, application migration involves moving the application and its data to a new environment and then making all the necessary configurations. Unfortunately, it’s rarely that simple in practice. Migration can be complicated. It is recommended to conduct a detailed analysis of each migrated application and carefully plan the entire process.
Migrating from Oracle Access Management to Keycloak can be a good option in some circumstances – especially when you want to stay on-premise (no OCI), need a specific feature that Oracle IAM doesn’t offer, or want to minimize license costs. This kind of migration is also not too problematic to carry out. In this article, we’ve focused on the JIT migration scenario, but mass migration is also possible. For more information on migration strategies and Keycloak, check out our other articles:
If you have any questions or doubts and are unsure how to carry out the migration, you can always ask us for help. Our migration specialists have plenty of experience with such projects, and will gladly do the work for you. Write to us at hello@pretius.com or use the contact form below – we’ll see what we can do for you. Initial consultations with Pretius are always free.