diff --git a/.envrc.template b/.envrc.template
index 3b08199b2..9fa0cc1fa 100644
--- a/.envrc.template
+++ b/.envrc.template
@@ -55,14 +55,6 @@ export SECRET_KEY_BASE=$(openssl rand -base64 48)
 ## Used by Erlang (only required in production)
 # export RELEASE_COOKIE=
 
-## AWS Cognito Authentication/authorization details (only required in production)
-# export COGNITO_DOMAIN
-# export COGNITO_CLIENT_ID
-# export COGNITO_CLIENT_SECRET
-# export COGNITO_USER_POOL_ID
-# export COGNITO_AWS_REGION
-# export GUARDIAN_SECRET_KEY
-
 ## CDN details (only required in production)
 # export STATIC_SCHEME
 # export STATIC_HOST
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index 98051909a..0ff19cd37 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -35,4 +35,4 @@ Skate is read-only, so it only needs to ingest data and present it. Skate uses t
 
 ## Authentication
 
-Skate's authentication uses AWS Cognito as a middleman to manage interaction with Active Directory (using federated services). The actual login page the user interacts with is hosted by Active Directory, you use your same username and password as your email. We could someday add levels of authorization using groups in Cognito, but don't at this time.
+Skate's authentication uses Keycloak as a middleman to manage interaction with Active Directory (using federated services). The actual login page the user interacts with is hosted by Active Directory, you use your same username and password as your email. We could someday add levels of authorization using groups in Keycloak and/or Active Directory, but don't at this time.
diff --git a/config/config.exs b/config/config.exs
index 2040b26fd..a043708bd 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -142,9 +142,8 @@ config :logger, :console,
   format: "$time [$level] $metadata$message\n",
   metadata: [:mfa, :request_id]
 
-# "code" is the secret value returned by AWS to /auth/cognito/callback
 log_filter_params =
-  ~w(password code token guardian_default_claims guardian_default_resource guardian_default_token)
+  ~w(password token guardian_default_claims guardian_default_resource guardian_default_token)
 
 config :logster, :filter_parameters, log_filter_params
 
@@ -153,10 +152,9 @@ config :phoenix, :filter_parameters, log_filter_params
 # Use Jason for JSON parsing in Phoenix
 config :phoenix, :json_library, Jason
 
-# Fake Cognito authentication
+# Fake Keycloak authentication
 config :ueberauth, Ueberauth,
   providers: [
-    cognito: nil,
     keycloak: nil
   ]
 
diff --git a/config/dev.exs b/config/dev.exs
index badc670df..2201aa3ac 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -47,7 +47,6 @@ config :ex_aws,
 
 config :ueberauth, Ueberauth,
   providers: [
-    cognito: {Skate.Ueberauth.Strategy.Fake, [groups: ["skate-dispatcher", "skate-admin"]]},
     keycloak:
       {Skate.Ueberauth.Strategy.Fake,
        [groups: ["skate-readonly", "skate-dispatcher", "skate-admin"]]}
diff --git a/config/prod.exs b/config/prod.exs
index 56d2ff6c9..98ea3b9bf 100644
--- a/config/prod.exs
+++ b/config/prod.exs
@@ -51,20 +51,13 @@ config :logger, :console,
   format: "$time [$level] node=$node $metadata$message\n",
   metadata: [:mfa, :request_id]
 
-# Configure Ueberauth to use Cognito / Keycloak
+# Configure Ueberauth to use Keycloak
 config :ueberauth, Ueberauth,
   providers: [
-    cognito: {Ueberauth.Strategy.Cognito, []},
     keycloak:
       {Ueberauth.Strategy.Oidcc, userinfo: true, uid_field: "email", scopes: ~w(openid email)}
   ]
 
-config :ueberauth, Ueberauth.Strategy.Cognito,
-  auth_domain: {System, :get_env, ["COGNITO_DOMAIN"]},
-  client_id: {System, :get_env, ["COGNITO_CLIENT_ID"]},
-  user_pool_id: {System, :get_env, ["COGNITO_USER_POOL_ID"]},
-  aws_region: {System, :get_env, ["COGNITO_AWS_REGION"]}
-
 config :ex_aws, json_codec: Jason
 
 config :ehmon, :report_mf, {:ehmon, :info_report}
diff --git a/config/runtime.exs b/config/runtime.exs
index ccde92897..1813d9551 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -20,9 +20,6 @@ config :skate, Skate.OpenRouteServiceAPI,
   api_key: System.get_env("OPEN_ROUTE_SERVICE_API_KEY"),
   client: Skate.OpenRouteServiceAPI.Client
 
-config :ueberauth, Ueberauth.Strategy.Cognito,
-  client_secret: System.get_env("COGNITO_CLIENT_SECRET")
-
 config :skate, SkateWeb.AuthManager, secret_key: System.get_env("GUARDIAN_SECRET_KEY")
 
 pool_size =
diff --git a/config/test.exs b/config/test.exs
index 286a43698..83289d967 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -24,7 +24,6 @@ config :skate, Oban, testing: :inline
 
 config :ueberauth, Ueberauth,
   providers: [
-    cognito: {Skate.Ueberauth.Strategy.Fake, [groups: ["skate-dispatcher", "skate-nav-beta"]]},
     keycloak: {Skate.Ueberauth.Strategy.Fake, [groups: ["skate-dispatcher", "skate-nav-beta"]]}
   ]
 
diff --git a/mix.exs b/mix.exs
index 310b00fdf..2be20f4f0 100644
--- a/mix.exs
+++ b/mix.exs
@@ -89,7 +89,6 @@ defmodule Skate.MixProject do
       {:ssl_verify_fun, "~> 1.1"},
       {:stream_data, "~> 1.1.1", only: :test},
       {:timex, "~> 3.7.5"},
-      {:ueberauth_cognito, "~> 0.4.0"},
       {:ueberauth_oidcc, "~> 0.4.0"},
       {:ueberauth, "~> 0.10.5"}
     ]
diff --git a/mix.lock b/mix.lock
index 0d61295f5..dd00937e8 100644
--- a/mix.lock
+++ b/mix.lock
@@ -81,7 +81,6 @@
   "timex": {:hex, :timex, "3.7.11", "bb95cb4eb1d06e27346325de506bcc6c30f9c6dea40d1ebe390b262fad1862d1", [:mix], [{:combine, "~> 0.10", [hex: :combine, repo: "hexpm", optional: false]}, {:gettext, "~> 0.20", [hex: :gettext, repo: "hexpm", optional: false]}, {:tzdata, "~> 1.1", [hex: :tzdata, repo: "hexpm", optional: false]}], "hexpm", "8b9024f7efbabaf9bd7aa04f65cf8dcd7c9818ca5737677c7b76acbc6a94d1aa"},
   "tzdata": {:hex, :tzdata, "1.1.1", "20c8043476dfda8504952d00adac41c6eda23912278add38edc140ae0c5bcc46", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "a69cec8352eafcd2e198dea28a34113b60fdc6cb57eb5ad65c10292a6ba89787"},
   "ueberauth": {:hex, :ueberauth, "0.10.8", "ba78fbcbb27d811a6cd06ad851793aaf7d27c3b30c9e95349c2c362b344cd8f0", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "f2d3172e52821375bccb8460e5fa5cb91cfd60b19b636b6e57e9759b6f8c10c1"},
-  "ueberauth_cognito": {:hex, :ueberauth_cognito, "0.4.0", "62daa3f675298c2b03002d2e1b7e5a30cbc513400e5732a264864a26847e71ac", [:mix], [{:hackney, "~> 1.0", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:jose, "~> 1.0", [hex: :jose, repo: "hexpm", optional: false]}, {:ueberauth, "~> 0.7", [hex: :ueberauth, repo: "hexpm", optional: false]}], "hexpm", "62378f4f34c8569cd95cc4e7463c56e9981c8afc83fdc516922065f0e1302a35"},
   "ueberauth_oidcc": {:hex, :ueberauth_oidcc, "0.4.0", "3fbfbc38735b4dba54ed8bf3e9b80f5054f73cc1ec9af6ae88b7886d25934768", [:mix], [{:oidcc, "~> 3.2.0", [hex: :oidcc, repo: "hexpm", optional: false]}, {:plug, "~> 1.11", [hex: :plug, repo: "hexpm", optional: false]}, {:ueberauth, "~> 0.10", [hex: :ueberauth, repo: "hexpm", optional: false]}], "hexpm", "cdd8517d773cfe499c0b692f795f213b2eb33119afbec34aefd8be0a85c62b21"},
   "unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
   "vector": {:hex, :vector, "1.1.0", "0789b5e00e9c551d8d5880acab9a8f44ed46690d083af397018bf0c7f30c1092", [:mix], [], "hexpm", "48b0a800ec88e55b12c689b09100e4c9ba41ea1befb459221c085a4e70040696"},