Since last year, the single sign-on solution Keycloak has been a central component of our identity and access management strategy. With Keycloak, third-party applications can log on to the system using standard protocols such as SAML and OpenID Connect. This means that users only have to log on once centrally and can then access all enabled services.
In the long term, Keycloak will replace our existing solutions SimpleSAMLphp and Kopano Konnect. The development team is working on the implementation of further functions. As of December 2022, Keycloak is part of the UCS functional scope covered by our support. Thus, Keycloak can already be installed as an app via the App Center today.
Keycloak’s Fail-safety and High Availability
Of course, with such a central component, fail-safety and high availability are important issues. As of today, it is already possible to install Keycloak multiple times in a UCS domain. In this case, all installations are accessible under the same name in the network and share login sessions. This allows load balancing in the domain and provides a certain degree of fail-safety. All instances also share the same configuration.
In the default installation of the app, the configuration is stored in a central database on a UCS system. To make Keycloak truly fail-safe and highly available, this must therefore also apply to the database system, i.e. it must be operated as a cluster. UCS does not provide such a cluster for Keycloak out of the box. However, the Keycloak app can be configured to use an external database.
In principle, it is possible to run a cluster with the databases provided by UCS. However, the setup is not trivial and UCS does not provide any simple options for this. Administrators must not only set up this setup but also operate it themselves.
MariaDB Offers Support for Cluster Operation
This is where MariaDB comes into play. The enterprise version of MariaDB, set up together with an SQL proxy in the same network as a cluster, allows a highly available database setup that can be used by Keycloak.
MariaDB and Univention have now entered into technical cooperation that allows us to offer our customers comprehensive support for the fail-safe and highly available use of Keycloak on UCS.
Stefan Schmit, Sr. Solution Engineer at MariaDB plc points out:
With the MariaDB Enterprise Server in combination with our SQL proxy MaxScale, we offer a highly available database architecture that corrects failures immediately. Together with Univention and our support, you get a highly available database for Keycloak’s critical workload and on multiple platforms, be it on-prem, private cloud (ex. VMware, Kubernetis) or public cloud (AWS, Google Cloud) as Database-as-a-Service (DBaaS) SkySQL.
If you have any questions about MariaDB, or its combined use with UCS or Keycloak, please feel free to ask in the comments section of our blog.
