Implementing Keycloak SSO on AWS for a Large Energy Customer Platform

Introduction

The client is a leading energy distribution company in Western Europe, operating across multiple markets and serving a large consumer base. As part of its digital strategy, the company provides a customer-facing online platform where users securely access energy consumption data, billing information, and account settings.

The platform supports multiple customer-facing sub-brands, each with its own digital experience, while relying on shared backend systems. As the number of users, brands, and digital products grew, the existing login solution could no longer scale. The company needed a centralized, secure, and future-proof way to manage customer identities across all applications.

Why the Existing Login Setup Could Not Scale

As the company's digital services grew, managing user logins became increasingly complex. The main challenges were:

• No single, central system to manage customer logins across all products
• Different types of users (customers and internal administrators) with very different access needs
• Limited functionality in the existing login system
• High security requirements due to the sensitive nature of energy and customer data
• Growing operational effort for support and IT teams

The client needed reliable identity management services that could support multiple brands, strict security requirements, and future digital products from a single platform.

Choosing an Open Source SSO Foundation for Long Term Growth

The client selected Keycloak, an open-source identity and login platform, as the foundation of their solution.

Key reasons included:

• Strong security and broad industry adoption
• No dependency on a single software vendor
• Support for modern login standards like OAuth 2.0 and OpenID Connect
• High flexibility for customization and extension

Keycloak provided the foundation for an open source SSO solution, giving the client full control over authentication, customization, and long-term scalability without relying on proprietary software.

By using Keycloak, the client gained full control over authentication, customization, and scalability — without relying on proprietary SaaS tools. This is where Perfsys joined the project.

Designing a Centralized Identity Platform on AWS

Perfsys worked closely with the client to design and implement a centralized Keycloak SSO platform on AWS for all customer-facing applications.

Perfsys specializes in identity management services, including Keycloak deployment and SSO integrations on AWS, helping companies build secure and scalable login systems without vendor lock-in.

The solution was hosted on AWS and designed to be:

• Scalable as user numbers grow
• Secure by design
• Easy to extend for new products and brands

Following AWS VPC security best practices , administrative access was isolated in private networks, while only the required authentication endpoints were exposed publicly.

What Perfsys Delivered

1. Unifying Multiple Customer Portals Under One Login

Perfsys transformed Keycloak into a single, shared login system for all customer-facing applications. Customers can now use one account across multiple services and brands.

For the business, this simplified identity architecture enabled faster product launches, fewer integration issues, and a scalable foundation for future growth.

2. Reducing Support Effort With Better Identity Administration

Out-of-the-box admin tooling was not sufficient for enterprise-scale operations. Perfsys extended the Keycloak admin interface with custom components built on the Keycloak API.

Support teams gained better visibility into user accounts, clearer account states, and faster issue resolution — significantly reducing manual work and operational overhead.

3. Enabling Secure User Support Without Compromising Security

To support customers effectively, administrators sometimes need to view the system from a user's perspective. Perfsys implemented a secure impersonation capability that allows authorized admins to temporarily access customer accounts.

This improved support efficiency while maintaining strict security boundaries between internal systems and public-facing portals.

4. Implementing MFA Without Disrupting the Login Experience

Security was a top priority, but usability was equally important. Perfsys implemented a balanced MFA approach:

• Users receive a one-time email code when logging in from a new device
• Trusted devices do not require repeated verification
• Strong security without unnecessary login friction

This significantly improved account protection while preserving a smooth user experience.

5. Improving Customer Trust Through Branded Identity Communication

Standard email notifications were not sufficient for a multi-brand customer platform. Perfsys redesigned identity-related communication to be clear, branded, and consistent.

Customers now receive easy-to-understand, brand-specific emails for actions like password expirations, required updates, and policy changes. Web-based versions of these emails can also be opened in a browser, improving clarity and trust.

6. Supporting Multiple Brands on a Shared Identity Platform

Each sub-brand required its own look and feel. Perfsys customized login and registration pages, account screens, and email templates for each brand — while keeping a single shared identity platform behind the scenes.

This allowed the business to scale new brands without duplicating infrastructure or identity logic.

Thinking about modernizing your identity platform?

If your team is managing complex login flows, multiple products, or increasing security requirements, Perfsys helps design and extend secure SSO and identity platforms on AWS. From Keycloak customization to full identity architecture, we support teams in building solutions that scale with their business.

Talk to our team about your identity setup

Talk to Our Team

Building Security and Reliability Into the Identity Platform

Given the critical nature of energy infrastructure, cloud security and network isolation on AWS were built into every layer of the AWS-based identity platform.

Key measures included:

• Administrative systems accessible only through private networks
• Public exposure limited strictly to authentication endpoints
• Clear separation between development, testing, and production environments
• Use of proven industry security standards

This ensured the platform was secure for users and reliable for long-term operation.

Business Impact of a Centralized Identity Platform

The new Keycloak SSO platform became a core component of the client's digital ecosystem. As a result, the client achieved measurable improvements:

• 30–40% reduction in login- and access-related support requests due to more reliable authentication, clearer communication, and improved admin tooling
• 2–3× faster onboarding of new products and sub-brands by reusing a centralized identity and SSO architecture
• Unified multiple brands and applications under one secure, AWS-based identity platform while maintaining strict security and environment separation

Client Feedback

The Head of Data Management shared their experience in a verified Clutch review :

"Perfsys has a perfect blend of technical expertise and creative flair. This is a serious and very reliable team. They were always responsive, easy to reach, and consistently proposed thoughtful solutions while working confidently with the latest cloud technologies."
— Head of Data Management, Energy Company, Luxembourg (Clutch Review, Mar 2023)

The client awarded Perfsys 5.0 out of 5 across all categories, including quality, schedule, cost, and willingness to refer.

Eugene Orlovsky

CEO & Founder | Serverless architect with 10+ years of hands-on experience designing cloud-native architectures on AWS, backed by multiple AWS certifications. He is writing bridges deep technical expertise with real-world business strategy, covering topics from AWS best practices to scaling tech-driven organizations.