BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak

Legacy systems did not match a modern government

The Austrian Business Service Portal (USP) is the central online eGovernment platform for entrepreneurs and businesses. It connects businesses with various Austrian online government services, where businesses can access all digital services and information in one place.

The USP was launched in 2010 by the Austrian Federal Computing Center (BRZ, abbreviated from the German name Bundesrechenzentrum). The BRZ is the market-leading eGovernment partner of the Austrian federal administration and is both developing and operating the portal. The USP is a service provided by the Federal Chancellery of Austria (Bundeskanzleramt), which is responsible for its strategic direction and coordination.

Since 2012, the technical architecture enabling these key features had been the same, whereas the number of users and logins has multiplied. Today, USP has around 650,000 registered organizations, over 2 million registered users, and approximately 50,000 logins per day, providing access to over 130 digital public services, in addition to business identification and representation data for every major public administration stakeholder in Austria.

Because USP is becoming a central point of access not only to optional services but legal obligations of businesses, the expectations of availability and reliability are increasing fast. Both business users and public service owners rely on the data provided by USP.

The legacy system no longer met these demands. It also lacked crucial core functionality like OpenID Connect and extensibility through self-written code. The software used a monolithic approach, which BRZ were willing to change and replace with a more modern service approach.

To meet these expectations, legal requirements, and to prepare for future requirements, USP updated its key component access management, which led to the following challenges:

• Changing the underlying architecture from legacy monolithic to microservices  

• High level of customization in the legacy system

• Coordination of over 130 service providers

• In place migration with minimal service impairment because of the importance of the integrated applications and legal obligations of the users

• Set up of the CI/CD pipeline and adapting the engineering and operations processes, including a change of culture and responsibilities towards DevOps

• Implementing a cloud native approach by applying configuration through Kubernetes objects and CRDs

Developing a solution

The most important feature of the USP solution is the ability to switch sessions between companies without having to reauthenticate the user. To achieve the project goal, it was necessary to make this proprietary functionality work with the evaluated product as well. 

During the product decision process, Keycloak stood out as the most promising product because it can be used as an extendable framework, not only as a product with fixed functionality. With Keycloak BRZ started with a simple configuration and expanded it to fit USP needs.

To develop the solution, BRZ split the integration into four parts which cover the challenges listed above to speed up and parallelize the development process:

CI/CD and cloud native

BRZ integrated the Keycloak administration API into our Tekton CI/CD environment with the use of JSON files combined with linting steps to automate stage-independent configuration and reduce configuration errors to a minimum. Because all the configuration lives in our internal Git repository, changes are transparent, and rollbacks are simple and fast.

Legacy system customizations

To integrate into Keycloak the functionality of switching between companies, BRZ developed a Keycloak plugin called “DOTS” which stands for “Dynamic Object Transformation Services”. This plugin makes it possible to extend existing Keycloak sessions with the use of JSON patch methods. The plugin is extendable and extends its functionality through external microservices, and can adapt it to future customer needs when necessary.

It passes the user information and associated business data automatically to the requested service. This includes company name, location, address, as well as various other keys, like tax identification number and VAT number.

Enable and extend monitoring

A crucial part of every DevOps team is the availability of logging, metrics, and tracing data. Keycloak has all this data out of the box, nevertheless, extended the metrics in Keycloak with a separate plugin available as open source. The data is used for alerting in Zabbix and to get a quick overview in our Grafana dashboards. Tempo with OpenTelemetry to visualize tracing in all our services.  

Switch to container solutions

To configure Keycloak’s integrated high availability features, Helm charts were integrated into the CI/CD platform. The multiple pods deployed through a stateful set run in a Kubernetes container platform, allowing the solution to scale dynamically without downtime.

Impact of the migration

The migration to Keycloak allowed BRZ to cut down the boundaries of limited functionality and to implement formerly proprietary functionality with open standards. The use of Keycloak’s configuration API, simplified and sped up the process of updating and extending the authentication platform. With the use of plugins, necessary features like metrics for monitoring or tracing for support cases could be extended.

From the user perspective, the authentication process looks nearly the same, but is more stable and resource-efficient than the old solution. Under the hood, additional features were implemented, which will be activated in the future, like a login representation. Keycloak’s templating support allows for quick changes to the USP’s corporate design.

The cloud native approach of Keycloak makes it easy for BRZ to adapt our solution to the container world and to keep pace with the latest security and authentication standards in the SSO world.