I have two different clusters of Keycloak (different DB for each cluster), it works as an active active solution and it is an Identity broker.
When it comes to groups there is a problem to manage them because I would like to have the same groups in both clusters but I don’t have all the users in each cluster.
So I need a way to sync users between both clusters.
My solution for now is using a Directory Server,
And using the api of Keycloak.
I am pulling all the users from one keycloak to the directory server, and then importing the users through the User federation on the second Keycloak and vice versa.
I am doing it every hour.
- It works
- It adds the ability to use ldap for those who can’t use oidc or saml
- Feels wrong
- Because it happens once an hour it is not in real time
- Massive overhead
I would like to hear if someone has a different idea how I could synchronize both clusters of Keycloak, (cross site is not an option for my situation).