Problem: A global manufacturer needed to replace a 12-year-old ADFS estate blocking cloud adoption. 200,000 employees, 14 countries, 180 SAML-integrated applications, and zero tolerance for a login outage. A prior attempt was abandoned after causing a 4,000-user login loop.
Solution: Keycloak federated AD as user store from day one — no user migration required. Each application was migrated one at a time using a load-balancer rule (5% to Keycloak, 95% to ADFS). SAML traces from both paths were compared automatically to detect attribute mapping divergence before percentage increased. 23 applications needed custom Keycloak extension mappers.
Technology: Keycloak · SAML 2.0 · Active Directory · Terraform · OIDC
Optimisation pattern: parallel-run-per-application-migration
Outcomes:
Zero login outages across 90 days and 180 migrations. 7 total user-reported issues (all same-day resolution). ADFS decommissioned: 12 Windows Server instances retired. First Azure AD B2C integration live within 2 weeks of ADFS retirement.