External IAM for Open edX AuthN vs. AuthZ—Architectural Considerations

Development Architecture
1

Hello everyone,

We need architectural advice on integrating an external IAM like KeyCloak with Open edX.

Core Question: Should we use Keycloak only for Authentication (SSO), leaving all Authorization (permissions/roles) inside Open edX? Or should we delegate AuthZ to Keycloak’s Authorization Services?

Critical Concerns while using an external IAM for authorization?

We need to understand the impact on:

  • Granularity: Can external IAM manage complex, course-level roles effectively?

  • Performance: Will external AuthZ checks introduce significant latency to Open edX access requests?

  • Data Sync: How do we reliably synchronize external IAM groups/roles into the Open edX user database for reporting and internal features?

  • Maintenance: What is the long-term cost when upgrading or maintaining this complex integration?

Any real-world experience, insights or best practices are highly appreciated!

Thank you!

2

@roop I am not an expert in this domain. Just sharing what I know.

The edx-platform fully depends on the Django User and the roles defined in the platform for all of the funtionality. So, even when user provisioning is done via SSO, there are still Django User objects that, let say “carry the workload”. And roles themselves aren’t easy to customize. So, there is current work undergoing from the product team to bring in changes that make some of these things easier. See: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/4724490259/PRD+Roles+Permissions