How to seamlessly failover from Microsoft Entra ID to on-prem Keycloak

Keep your critical apps accessible. Use Identity Continuity to allow key users to securely authenticate locally with Keycloak if Microsoft Entra ID ever becomes unavailable.

Read the docsTry this in Maverics
  • Protect against natural disasters, broken configurations, or network loss. Automatically failover to on-prem Keycloak so users can access apps until the issue is fixed.
  • Protect against your IDP going offline. Use Keycloak to continue accessing all mission critical apps. Keep using HYPR, Yubikey, or any other modern third-party MFA to secure your app when authenticating a user via Keycloak.
  • Make attributes and policies consistent between Microsoft Entra ID and Keycloak. Seamlessly map common attributes with the Schema Abstraction Layer™.

Don’t get caught with your apps down

Recipe details

This is how everything works together.

Diagram illustrating an on-premises failover system with Keycloak and app connected to Maverics Orchestrator through a schema abstraction layer, enabling seamless failover from Microsoft Entra ID to on-prem Active Directory (AD).

Setup details

Just add in your ingredients and deploy.

Screenshot of a web application displaying an interface for managing identity services with sections for different identity fabrics, including Okta and CyberArk integrations, a Learning Center for resources, and options to failover from your cloud IDP to a backup cloud IDP.

App users don’t care how they authenticate — they care about accessing apps exactly when they need to. Use Identity Continuity to give key users continuous access to the mission-critical apps that directly impact business function — during a natural disaster, if there’s an issue with config, or if your network goes offline.

  • Familiar login. Users log in via the Microsoft Entra ID portal and follow the authentication access flow.
  • Invisible redirection. Behind the scenes, Maverics makes sure that your Microsoft Entra ID instance is online and — if there are any challenges — directs the user to Keycloak.
  • Quick authentication. The user enters their details, gets authenticated and logs in. Everything in the app looks the same as before and access is granted.

Key users will need to access a mission-critical app even if there are network issues or your Microsoft Entra ID config is corrupted. Use Identity Continuity to automatically fail over to on-prem Keycloak and allow users to authenticate that way.

  • Define your strategy. Set Microsoft Entra ID as your primary IDP and configure Keycloak as your secondary IDP to define your failover strategy within the Maverics UI.
  • Define the attributes your application needs in the Schema Abstraction Layer™. Separately map them to claims available from Microsoft Entra ID and Keycloak.
  • Configure continuity. Set health check parameters for triggering failover, simulate outages, and pre-prepare your systems (and users) for any continuity scenarios. Maverics’ hybrid air-gap architecture ensures local orchestrator availability so that identity services are available even when the cloud is inaccessible.

Ready to cook up your perfect identity modernization solution?

Stop juggling disparate identity services. Unleash the power of Strata’s orchestration recipes.
Whether you’re dealing with legacy app modernization or controlling multi-cloud access, Orchestration Recipes have got you covered.

Read the docsTry this in Maverics