Migrating users from IAM to Keycloak

When upgrading IBM Cloud Pak® for Integration from a version that uses IBM Cloud Pak foundational services Identity and Access Management (IAM) to a version that uses Red Hat® build of Keycloak, the upgrade process does not automatically migrate users from IAM to Keycloak. You need to migrate users yourself during upgrade. If this is not done before upgrading instances, users might lose access to those instances until the new identity and access management system is configured.

So that user migration can occur, use one of the following methods for triggering Keycloak installation:

• If you already have the Platform UI deployed, simply upgrade it when prompted by the upgrade plan in Upgrading from 2023.4 or Upgrading from 2022.2. The Platform UI triggers the installation of Keycloak automatically during upgrade.

• Deploy the Platform UI (if you do not currently have it) when the upgrade plan prompts you to upgrade users in Upgrading from 2023.4 or Upgrading from 2022.2. The compute resources of the Platform UI are minimal. The Platform UI automatically triggers the installation of Keycloak when you upgrade Cloud Pak for Integration by using the upgrade plan in Upgrading from 2023.4 or Upgrading from 2022.2. For more information, see Deploying the Platform UI.

• You can also manually initiate the installation of Keycloak. For more information, see Installing the identity and access management system when the Platform UI is not installed.

Migrating users by using a tool

There is a tool to help with user migration during upgrade. The tool connects to the previous identity and access management system, lists the identity providers, users, teams, and permissions, and confirms that they exist in Keycloak.

For more information, see the IAM to Keycloak migration tool on GitHub.

Migrating users manually

You can configure Keycloak manually. For more information, see Identity and access management.