Migrate from Keycloak
Step-by-step guide to migrating users, realms, groups, and identity providers from Keycloak to Wocha
This guide covers migrating from Keycloak to Wocha using a realm export file or the Keycloak Admin API.
Prerequisites
| Requirement | Details |
|---|---|
| Keycloak realm export | JSON from Admin Console → Realm Settings → Export, or live Admin API |
| Admin access token | Required for live API import |
| Wocha tenant | npx @wocha/cli init --cloud |
| Management API key | WOCHA_MANAGEMENT_API_KEY with users:write, organisations:write, connections:write |
Concept mapping
| Keycloak | Wocha |
|---|---|
| Realm | Wocha tenant (one realm → one tenant; multi-realm requires multiple tenants) |
| User | User |
| Group | Organisation |
| Realm role | Organisation role / SpiceDB permission |
| Identity provider | Social or enterprise connection |
| Client | Application |
Data mapping
| Keycloak field | Wocha field |
|---|---|
user.id | metadata_admin.keycloak_id |
user.email | traits.email |
user.firstName + lastName | traits.name |
user.attributes | metadata_admin.attributes |
group.id / group.name | Organisation slug / display_name |
role.name | Organisation role (admin or member) |
identityProvider.providerId | Social connection provider |
identityProvider.alias | Connection name |
Step 1 — Export realm data
Option A: Realm export file
In the Keycloak Admin Console:
- Select your realm
- Realm settings → Action → Partial export
- Export users, groups, roles, and identity providers
- Save as
realm-export.json
Option B: Live Admin API
Obtain an admin access token:
The CLI prompts for base URL, realm, and token when you select live import.
Step 2 — Dry run
The plan summarises:
- Users, groups (organisations), roles, and identity providers
- Users missing email addresses
- Identity providers requiring OAuth credential configuration
Step 3 — Import users
Groups map to Wocha organisations; roles map to member/admin assignments. Identity providers are listed for manual configuration.
Step 4 — Configure identity providers
Keycloak identity providers map to Wocha connections:
Keycloak providerId | Wocha connection |
|---|---|
google | Google (social) |
github | GitHub (social) |
microsoft | Microsoft (social) |
saml | Enterprise SSO |
oidc | Enterprise SSO |
Add OAuth client credentials in Connections → Social or SAML metadata in Connections → Enterprise.
Handling passwords
Keycloak realm exports do not include password hashes by default (security restriction). Options:
- Magic link re-registration —
wocha.users.sendRecovery(userId)after import - Export with credentials — Keycloak can export password credentials if explicitly enabled (not recommended for production exports)
- Migration flow — implement a custom login page that validates against Keycloak on first login, then creates the Wocha session
- SSO/federated — configure identity providers in Wocha before cutover
Step 5 — Map applications (clients)
Keycloak clients map to Wocha applications:
Step 6 — Validate migration
Checks user counts, organisation alignment, and identity provider configuration.
Post-migration checklist
- All users imported
- Groups mapped to organisations with correct membership
- Identity providers configured in Wocha
- Applications (clients) recreated with correct redirect URIs
- Recovery emails sent to password-based users
- Application middleware updated to Wocha SDK
- Keycloak realm kept active during validation period
Rollback considerations
- Keycloak realm export is read-only — import does not modify Keycloak
- User metadata preserves
keycloak_idand realm name - Multi-realm deployments may need one Wocha tenant per realm
- SAML/OIDC metadata changes require IdP and SP configuration updates at cutover