Move to Keycloak without forcing a password reset.
A federation provider that validates first-login credentials against your legacy IdP, then transparently migrates users to Keycloak. No mass email, no support hit.
Migrating to a new IdP usually means breaking your users.
Password hashes don't move
Most legacy IdPs won't export password hashes. The 'easy' path is to email everyone a reset — and watch your active user count crater.
Big-bang migrations are risky
Cutting all users over in one weekend leaves no rollback, no canary, and a worst-case support load.
Long tail of inactive accounts
You'd rather not migrate the 30% of users who haven't logged in this year. But which 30%?
Migrate on first login, transparently
Federation, not export
Keycloak federates to your legacy system. First-login auth happens there.
Validate, then import
If the legacy system says the password is right, we create a local Keycloak account with the profile.
Subsequent logins are local
After the first login, the user authenticates against Keycloak directly. Legacy IdP becomes optional.
Inactive users self-select out
Anyone who never logs in is never migrated. Cleanup happens organically.
Whose migrations get easier
Anyone moving off Auth0, Cognito, a custom database, LDAP, or any legacy IdP — without a 6-month coordinated cutover.
Everything you'd want from a migration
Bring-your-own REST endpoint
Implement a tiny endpoint that takes username+password, returns a profile.
Auth0 / Cognito connectors
Pre-built integrations for the most common sources.
LDAP / SQL federation
Stock Keycloak federation patterns, batteries included.
Profile mapping
Map legacy attributes to Keycloak attributes — name, email, custom.
Migration progress dashboard
See how many users have migrated, who's left, when the tail flatlines.
Cut-over when you're ready
Once migration % is high enough, disable federation and run pure Keycloak.