How we used low-code, Keycloak and GraphQL instead of Okta

Consumer App

Low-code

USH has over 20.000 internal users, whose management accross multiple platforms wasn't centralized. Okta would be too expensive. Learn how we used a smart mix of WeWeb, Keycloak and GraphQL to manage 20.000 user profiles

Opportunity

USH is a federation of federations, providing central support services to it's members. They provide SSO infrastructure and IAM for more than 20.000 users. Okta was way too expensive and USH needed to manage in a central way user accounts CRUD, propagate then those users to multiple other applications: CRM, Active Directory, LDAP, Drupal website, JIRA, Microsoft Office licences activation and some other internal applications.

Solution

Keycloak is used as IAM, very easy to integrate with, we built a middleware layer using Apollo GraphQL which provides a single graph endpoint for all users related operations and finally a beautiful WeWeb front-end application was created to provide unified portal to create, update or desactivate users.

Keycloak + GraphQL + WeWeb

Managing over 20,000 users is always a challenge, especially when they are part of hundreds of different organizations and their data is spread across multiple applications. Typically, we often see these issues addressed with a combination of AD and IAM solutions like Okta. However, Okta’s pricing is geared towards enterprises, and having 20,000 users usually implies a very large company with a substantial budget.

USH, on the other hand, is a non-profit federation providing centralized services for its members, where Okta would be prohibitively expensive. We devised a more elegant solution. User management was based on Keycloak, an open-source IAM. We added a GraphQL layer on top of Keycloak to manage users and their data. GraphQL's resolvers connected to multiple backend APIs where parts of the user data were located: CRM, Drupal, LDAP, and others where actions were necessary upon user creation or archiving, such as granting JIRA access, activating Microsoft Office licenses, and managing newsletter subscriptions.

Finally, we created a front-end using WeWeb. We took advantage of the ease of connecting GraphQL to WeWeb and developed a set of screens to create, update, change emails and attributes of existing users, and archive those who left, disabling them in each application.

Not as easy as it may seem

On paper, it might seem straightforward: write some resolvers with Apollo GraphQL, connect a few APIs, create three to four screens on WeWeb, and voilà. But in reality, it's a highly distributed system that involves orchestration and synchronization of data across ten different applications. A minor change or error can destabilize the entire system. Debugging was a real nightmare; we could spend several hours investigating a small change in a field attribute that crashed the entire workflow of user creation. We urgently needed a solution to avoid spending too much time on the project.

To address this, we first implemented a global logging system using Datadog. We also covered most of the user journeys with automated, end-to-end tests. These measures immediately accelerated the project, and we're now able to run and deploy changes within a few minutes.

Furthermore, we wish to emphasize the importance of effective inter-team communication between the IT department of USH, Keycloak integrators, and managers of different applications. A single JIRA, Slack, and GIT were established, with regular on-site meetings organized to align everyone and prepare for future releases.