• 9 min read

How My VPA Unified Access Management and Reduced Costs by 90% with AWS & Keycloak

Achievements: 10x user growth, 90% lower IAM costs, 5 weeks implementation

Summarize this case study with AI:

Contents

Introduction

When My VPA GmbH approached Perfsys over five years ago, their goal was clear — to build a secure, scalable, and cost-efficient identity management system for their SaaS platform. They needed to unify logins across multiple services while maintaining full control over user data.

Instead of relying on costly third-party solutions such as Auth0 or Okta, Perfsys implemented a custom AWS-hosted Keycloak solution. The result: complete data ownership, deep customization capabilities, and a system that has remained stable and efficient through years of growth.

Today, My VPA’s Keycloak-based IAM manages over 1,000 user accounts, runs in high availability mode across multiple AWS availability zones, and has supported the company’s 10× business growth since deployment.

About the Client

My VPA GmbH is a Cologne-based company founded in 2012 that provides virtual assistant services across the DACH region. Their platform connects businesses and entrepreneurs with remote professionals who handle administrative, marketing, and operational tasks.

With a network of over 160 assistants and 6,000+ projects completed, My VPA enables clients to scale their productivity through an innovative hybrid of technology and human expertise.

Learn more about their services at my-vpa.com.

Background

Originally, My VPA’s authentication process was fully custom — built on PHP and MySQL, where users’ credentials were stored directly in the application’s database. As the company expanded, it introduced new systems like ownCloud (for file sharing) and Matrix (for communication).

Each new system required separate logins, which quickly became difficult to manage. My VPA needed a centralized identity and access management (IAM) solution to unify authentication across all their platforms and deliver a seamless single sign-on (SSO) experience.

The Challenge

Before partnering with Perfsys, My VPA faced several core challenges:

Diagram showing My VPA’s fragmented identity systems and high SaaS IAM costs before Perfsys implementation.

  • Fragmented identity management: Clients and assistants logged in separately to multiple systems.
  • Data continuity: A large user base already existed in MySQL — re-registering thousands of users was not an option.
  • Scalability and security: They needed a future-proof, cloud-native solution.
  • Cost control: SaaS options like Auth0 and Okta offered flexibility but at a steep, recurring cost unsuitable for SMBs.

Why Keycloak over Auth0/Okta?

My VPA needed centralized SSO, full data ownership, and deep UI/flow customization without per-user licensing. We evaluated Auth0 and Okta, but a self-hosted Keycloak on AWS offered maximum customization, predictable costs, and seamless reuse of the existing MySQL user base via a custom federation provider.

Key Comparison Table of Leading IAM Solutions: Pricing, Deployment, and Target Audience Overview (October 2025)

AspectAuth0OktaKeycloak
Core FocusCustomer Identity & Access Management (CIAM), developer-friendlyEnterprise Workforce IAM, security & complianceOpen-source, fully customizable IAM
PricingUsage-based (MAU): Free ≤ 25K users, from $35/mo for 500 MAU; starts ≈ $1,500/year min; scales with growthSubscription per user/year, custom enterprise tiersFixed operational cost ≈ $60/mo, (AWS hosting + engineering); no per-user fees
Ease of DeploymentManaged SaaS, quick setupManaged SaaS, enterprise-readySelf-hosted or managed, requires technical expertise
Key StrengthsRapid developer adoption; rich integrationsStrong security & complianceFull control, deep customization, no licensing fees
Ideal ForStartups, SaaS, customer-facing appsLarge enterprises with strict complianceStartups & SMBs wanting control, customization, open-source flexibility

Pricing shown is indicative; actual costs vary by traffic, HA level, and region. We tailor a right-sized AWS setup for each client.

What This Means for SMBs & SaaS Teams

For companies needing customization and full control over identity data within their own AWS account, Keycloak offers a clear advantage. It delivers enterprise-grade SSO and IAM features while maintaining an average operational cost of just ≈ $60/month — with no per-user fees and no vendor lock-in.

Why Customization Matters

  • User Federation: Connect to existing databases (MySQL, LDAP, AD) — no re-registration needed
  • Flexible Flows: Configure MFA and access policies per application
  • Branding: Customize login screens and email templates to fit your UX
  • Extensibility: Add custom providers for MFA, brokers, or integrations

In My VPA’s case, a custom user-federation module allowed seamless reuse of their existing MySQL user base, providing single sign-on across their web app, ownCloud, and Matrix — with zero user disruption.

Our Approach

Phase 1 – Architecture Design

Perfsys designed a robust AWS-based IAM architecture using:

  • Amazon EKS (Kubernetes) for hosting Keycloak in high availability mode (two AWS availability zones)
  • Amazon RDS (MySQL) for secure, persistent data storage
  • Amazon EC2 instances to power workloads efficiently
  • Application Load Balancers (ALB) for routing and fault tolerance
  • AWS CodeCommit for version control and maintainability

Architecture diagram of My VPA’s AWS-based Keycloak IAM system designed by Perfsys using Amazon EKS, RDS, EC2, ALB, and CodeCommit for high availability and scalability.

Phase 2 – Implementation & Custom User Federation

My VPA didn’t want to migrate or recreate its large user database. To meet this need, Perfsys developed a custom Keycloak User Federation Provider — a specialized integration module that connected Keycloak directly to the existing MySQL database.

This allowed Keycloak to reuse and synchronize all user credentials automatically, ensuring zero disruption and preserving user continuity. It also demonstrated Keycloak’s flexibility as an open-source IAM platform.

For SMBs, this offers the same power as commercial tools like Auth0 — but at a fraction of the cost.

Phase 3 – Integration with SaaS Applications

Keycloak now acts as the central identity provider across:

  • The main My VPA web application,
  • ownCloud (file management), and
  • Matrix (communication and collaboration)
  • The My VPA Academy (learning management / training platform), and
  • The Assistant Wiki** (internal knowledge base)

By federating authentication for these digital services, Keycloak enforces a unified Identity and Access Management (IAM) policy. All users authenticate through a single OAuth2/OIDC-based login flow, enabling seamless Single Sign-On (SSO) throughout the platform ecosystem. Session continuity is maintained via centrally managed access tokens, while security posture is significantly improved through standardized authentication policies, centralized credential governance, and consistent enforcement of password policies.

This unified architecture provides a true enterprise-grade IAM experience — one secure login grants contextual access to all services based on defined roles and permissions. The approach mirrors large-scale corporate identity platforms, but is implemented using a lightweight, cloud-native design aligned with AWS best practices.

System Architecture Diagram

My VPA AWS Keycloak IAM architecture by Perfsys showing ALB, EKS, RDS, and custom user federation flow.

Phase 4 – Testing, Deployment & Maintenance

  • Continuous integration and deployment (CI/CD) was implemented for the main web app; Keycloak updates are applied manually to preserve stability.
  • Regular Keycloak upgrades (from version 3.1 to 23) ensure ongoing security and performance.
  • The EKS and EC2 infrastructure are updated every 6–7 months, maintaining compliance and reliability.

Looking to modernize your identity management or AWS infrastructure?

Explore how Perfsys can help you build secure, scalable cloud systems — from IAM solutions to AI Agent Development Services that extend your product’s intelligence securely.

Phase 5 – Ongoing Support and Optimization

Following the initial deployment, Perfsys has remained a long-term technology partner to My VPA, providing continuous operational support, maintenance, and optimization of the Keycloak-based IAM system.

Over the past five years, the Perfsys team has performed a consistent cadence of improvements and monitoring activities:

  • Regular Kubernetes and EC2 Upgrades: The EKS cluster and EC2 nodes are upgraded every 6–7 months to maintain compatibility with the latest AWS infrastructure, improve performance, and ensure security compliance.

  • Major Keycloak Upgrade (v3.1 → v23): Each new version required thorough compatibility testing with My VPA’s existing PHP web application and user federation logic. Perfsys executed every upgrade without service downtime, validating that authentication, SSO, and database integrations remained stable.

  • Proactive Security and Performance Monitoring: Continuous observability using AWS CloudWatch and custom logging ensures real-time detection of anomalies and proactive resolution before they affect end users. Access control policies are periodically reviewed and refined.

  • High-Availability and Backup Validation: The Keycloak deployment runs in two AWS availability zones with RDS multi-AZ replication and daily automated backups. Perfsys periodically performs disaster recovery tests to confirm data integrity and restore reliability.

  • Scalability Reviews and Resource Tuning: As My VPA’s user base grew 10×, Perfsys optimized RDS instance sizing, CPU allocation, and EKS node groups — maintaining sub-second authentication response times while keeping costs minimal.

  • DevOps and CI/CD Governance: While Keycloak updates are manually validated, Perfsys manages CI/CD pipelines for other components (e.g., the My VPA web app) through AWS CodePipeline and CodeCommit, ensuring consistent delivery processes.

  • Knowledge Transfer and Documentation: Detailed internal documentation and architectural diagrams are maintained to simplify onboarding of new engineers at My VPA and ensure operational transparency.

This ongoing collaboration ensures that My VPA continues to benefit from an up-to-date, secure, and cost-efficient IAM system with predictable maintenance costs and no dependency on external SaaS vendors.

Results

Quantitative Outcomes

  • Implementation time: ~5 weeks
  • Operational lifetime: 5+ years in continuous production
  • User base growth: 10× increase with zero performance loss
  • Keycloak version upgrades: From v3.1 → v23
  • Cost efficiency: ≈$2/day ( ≈$60/month) vs. hundreds per month for Auth0/Okta
  • AWS services implemented: 6 core AWS services — EKS, RDS, EC2, Application Load Balancer (ALB), CodeCommit, and CloudWatch — plus supporting IAM, S3, and networking components
  • Availability: Multi-AZ high-availability setup within AWS

Client Feedback

Company representatives took time to share their experience in a verified Clutch review:

“They are proactive and have creative ideas on how to approach the very unique set we have in our company” — ex-CEO, my-vpa GmbH, Koeln, Germany (Clutch Review, Jun 2020)

The client awarded Perfsys 5.0 out of 5 across all categories: quality, schedule, cost, and willingness to refer.

Conclusion

The My VPA project demonstrates how a well-designed open-source IAM system can rival and outperform proprietary SaaS offerings.

By deploying Keycloak on AWS, Perfsys helped My VPA:

  • Achieve 10× user growth over five years without a single data migration.
  • Cut IAM costs by over 90% compared to commercial solutions.
  • Maintain 99.99% uptime and five successful Keycloak version upgrades.
  • Simplify access management across multiple SaaS tools with centralized SSO.

For SMBs and SaaS providers, this case proves that enterprise-level identity management doesn’t require enterprise-level pricing. Compared to managed CIAM platforms, Keycloak provided the customization and cost profile My VPA needed, without sacrificing enterprise-grade security.

FAQ

What is Keycloak?

Keycloak is an open-source identity and access management (IAM) solution developed by Red Hat. It enables single sign-on (SSO), user federation, role-based access control (RBAC), and multi-factor authentication (MFA) — all from a self-hosted environment. It’s designed for organizations that want enterprise-grade security and flexibility without vendor lock-in.

What is Keycloak used for?

Keycloak is primarily used to centralize authentication and authorization for multiple applications and services. It allows users to log in once and access different systems securely — whether web apps, APIs, or third-party tools. In My VPA’s case, Keycloak manages user access across their web platform, ownCloud file system, and Matrix communication tools, creating a seamless SSO experience.

Is Keycloak free?

Yes. Keycloak is completely free and open-source, licensed under the Apache License 2.0. There are no per-user or subscription costs — only the infrastructure expenses associated with hosting (for example, AWS EKS, RDS, or EC2). This makes it a cost-effective alternative to commercial identity providers like Auth0 or Okta, which charge per user or per login.

How does Keycloak work?

Keycloak acts as a central authentication server. When a user logs in, Keycloak validates their credentials, issues secure tokens (OIDC or SAML), and manages access to connected applications. It can integrate with external databases or identity providers (LDAP, Active Directory, custom MySQL, etc.) through user federation — exactly what Perfsys built for My VPA to reuse their existing user database without migration.

Why choose Keycloak instead of Auth0 or Okta?

Keycloak offers comparable enterprise features — SSO, MFA, user federation, and fine-grained access control — without recurring SaaS fees. It’s open-source, fully customizable, and hosted in your own AWS account, giving you total control over data, compliance, and costs.

Was data migration required for My VPA?

No. Perfsys developed a custom Keycloak User Federation Provider that connected directly to My VPA’s existing MySQL user database. This allowed the company to reuse all existing accounts seamlessly without forcing re-registration.

How is availability ensured?

Keycloak runs on AWS EKS (Kubernetes), distributed across multiple availability zones. AWS RDS manages the database layer with automated backups, and Application Load Balancers ensure fault-tolerant routing.

How often is Keycloak updated?

Perfsys performs regular updates — typically every 6–7 months — to keep Keycloak and Kubernetes in sync with AWS standards and to apply the latest security patches.

Who benefits from this solution?
  • SMBs seeking a cost-efficient way to unify authentication across tools and services.
  • SaaS providers and ISVs needing a scalable, customizable identity system hosted securely in their own AWS environment.
How can I get started with a similar solution?

If your organization wants to modernize authentication, integrate Keycloak, or reduce IAM costs, contact Perfsys for a consultation.

AWS Experts, On-Demand

Need to move fast? Our cloud team is ready to scale, secure, and optimize your systems. Get serverless expertise, 24/7 support, and seamless CI/CD pipelines when you need it most.

FREE CONSULTATIONCONTACT US

Other case studies

Eugene Orlovsky LinkedIn

Eugene Orlovsky

CEO & Founder | Serverless architect with 10+ years in distributed systems