• 10 min read

Implementing Keycloak SSO on AWS for a Large Energy Customer Platform

Achievements: 4 sub-brands unified, 2x faster onboarding, 35% fewer support requests

Summarize this case study with AI:

Table of Contents

Introduction

The client is a leading energy distribution company in Western Europe, operating across multiple markets and serving a large consumer base. As part of its digital strategy, the company provides a customer-facing online platform where users securely access energy consumption data, billing information, and account settings.

The platform supports multiple customer-facing sub-brands, each with its own digital experience, while relying on shared backend systems. As the number of users, brands, and digital products grew, the existing login solution could no longer scale. The company needed a centralized, secure, and future-proof way to manage customer identities across all applications.

Why the Existing Login Setup Could Not Scale

As the company’s digital services grew, managing user logins became increasingly complex. The main challenges were:

  • No single, central system to manage customer logins across all products
  • Different types of users (customers and internal administrators) with very different access needs
  • Limited functionality in the existing login system
  • High security requirements due to the sensitive nature of energy and customer data
  • Growing operational effort for support and IT teams

The client needed reliable identity management services that could support multiple brands, strict security requirements, and future digital products from a single platform.

Keycloak SSO deployment on AWS showing administrative access in a private VPC and customer authentication endpoints in a public VPC. As digital services expanded, fragmented login management created a cascade of complexity across security, operations, and user access

Choosing an Open Source SSO Foundation for Long Term Growth

The client selected Keycloak, an open-source identity and login platform, as the foundation of their solution.

Key reasons included:

  • Strong security and broad industry adoption
  • No dependency on a single software vendor
  • Support for modern login standards like OAuth 2.0 and OpenID Connect
  • High flexibility for customization and extension

Keycloak provided the foundation for an open source SSO solution, giving the client full control over authentication, customization, and long-term scalability without relying on proprietary software.

By using Keycloak, the client gained full control over authentication, customization, and scalability—without relying on proprietary SaaS tools. This is where Perfsys joined the project.

Designing a Centralized Identity Platform on AWS

Perfsys worked closely with the client to design and implement a centralized Keycloak SSO platform on AWS for all customer-facing applications.

Perfsys specializes in identity management services, including Keycloak deployment and SSO integrations on AWS, helping companies build secure and scalable login systems without vendor lock-in.

The solution was hosted on AWS and designed to be:

  • Scalable as user numbers grow
  • Secure by design
  • Easy to extend for new products and brands

Following AWS VPC security best practices, administrative access was isolated in private networks, while only the required authentication endpoints were exposed publicly.

Keycloak deployment across private and public AWS VPCs, separating administrative access from customer-facing authentication. Keycloak deployment across private and public AWS VPCs, separating administrative access from customer-facing authentication.

What Perfsys Delivered

1. Unifying Multiple Customer Portals Under One Login

Perfsys transformed Keycloak into a single, shared login system for all customer-facing applications. Customers can now use one account across multiple services and brands.

For the business, this simplified identity architecture enabled faster product launches, fewer integration issues, and a scalable foundation for future growth.

2. Reducing Support Effort With Better Identity Administration

Out-of-the-box admin tooling was not sufficient for enterprise-scale operations. Perfsys extended the Keycloak admin interface with custom components built on the Keycloak API.

Support teams gained better visibility into user accounts, clearer account states, and faster issue resolution—significantly reducing manual work and operational overhead.

3. Enabling Secure User Support Without Compromising Security

To support customers effectively, administrators sometimes need to view the system from a user’s perspective. Perfsys implemented a secure impersonation capability that allows authorized admins to temporarily access customer accounts.

This improved support efficiency while maintaining strict security boundaries between internal systems and public-facing portals.

4. Implementing MFA Without Disrupting the Login Experience

Security was a top priority, but usability was equally important. Perfsys implemented a balanced MFA approach:

  • Users receive a one-time email code when logging in from a new device
  • Trusted devices do not require repeated verification
  • Strong security without unnecessary login friction

This significantly improved account protection while preserving a smooth user experience.

5. Improving Customer Trust Through Branded Identity Communication

Standard email notifications were not sufficient for a multi-brand customer platform. Perfsys redesigned identity-related communication to be clear, branded, and consistent.

Customers now receive easy-to-understand, brand-specific emails for actions like password expirations, required updates, and policy changes. Web-based versions of these emails can also be opened in a browser, improving clarity and trust.

6. Supporting Multiple Brands on a Shared Identity Platform

Each sub-brand required its own look and feel. Perfsys customized login and registration pages, account screens, and email templates for each brand—while keeping a single shared identity platform behind the scenes.

This allowed the business to scale new brands without duplicating infrastructure or identity logic.

Thinking about modernizing your identity platform?

If your team is managing complex login flows, multiple products, or increasing security requirements, Perfsys helps design and extend secure SSO and identity platforms on AWS. From Keycloak customization to full identity architecture, we support teams in building solutions that scale with their business.

Talk to our team about your identity setup

Building Security and Reliability Into the Identity Platform

Given the critical nature of energy infrastructure, cloud security and network isolation on AWS were built into every layer of the AWS-based identity platform.

Key measures included:

  • Administrative systems accessible only through private networks
  • Public exposure limited strictly to authentication endpoints
  • Clear separation between development, testing, and production environments
  • Use of proven industry security standards

This ensured the platform was secure for users and reliable for long-term operation.

Business Impact of a Centralized Identity Platform

The new Keycloak SSO platform became a core component of the client’s digital ecosystem. As a result, the client achieved measurable improvements:

  • 30–40% reduction in login- and access-related support requests due to more reliable authentication, clearer communication, and improved admin tooling
  • 2–3× faster onboarding of new products and sub-brands by reusing a centralized identity and SSO architecture
  • Unified multiple brands and applications under one secure, AWS-based identity platform while maintaining strict security and environment separation

Client Feedback

The Head of Data Management shared their experience in a verified Clutch review:

“Perfsys has a perfect blend of technical expertise and creative flair. This is a serious and very reliable team. They were always responsive, easy to reach, and consistently proposed thoughtful solutions while working confidently with the latest cloud technologies.” — Head of Data Management, Energy Company, Luxembourg (Clutch Review, Mar 2023)

The client awarded Perfsys 5.0 out of 5 across all categories, including quality, schedule, cost, and willingness to refer.

FAQ

Is this type of solution only for large enterprises?

No. While this case involves an enterprise client, the same approach works very well for startups and SMBs that want to scale securely.

Why not use a fully managed login service?

Managed services are often limiting. This solution gave the client full control and flexibility without vendor lock-in.

How flexible is Keycloak for custom integrations?

Keycloak is highly extensible through its APIs and event system. Using the Keycloak API, Perfsys was able to build custom authentication flows, admin features, and integrations tailored to the client’s business needs.

Can this be adapted to other industries?

Yes. Similar identity platforms are commonly used in SaaS, fintech, healthcare, and e-commerce.

Does Perfsys handle long-term support?

Yes. Perfsys supports both project-based work and ongoing operations, depending on client needs.

Is this approach suitable for startups and SMBs?

Yes. While this case involves an enterprise client, Perfsys applies the same principles to help startups and SMBs build secure, scalable identity foundations early—without unnecessary complexity or cost.

Cut AWS costs without compromising quality

Up to 40% savings with serverless solutions, audits, and Well-Architected Reviews.

Book a Cost ReviewSee our work

Other case studies

Eugene Orlovsky LinkedIn

Eugene Orlovsky

CEO & Founder | Serverless architect with 10+ years in distributed systems