Posted inDevops

How to Configure Identity Federation with Keycloak and LDAP

No Comments

Introduction

Identity Federation allows Keycloak to integrate with external identity providers such as LDAP, enabling centralized authentication and user management. By setting up LDAP (Lightweight Directory Access Protocol) federation in Keycloak, organizations can manage users securely while allowing them to authenticate against an existing directory service like Microsoft Active Directory (AD) or OpenLDAP.

In this guide, we’ll walk through setting up LDAP user federation with Keycloak, including the required configuration steps and testing the integration.

Prerequisites

Before configuring LDAP federation, ensure you have:

  • A working Keycloak installation (check our previous guide)
  • An LDAP server (such as OpenLDAP or Active Directory) accessible from Keycloak
  • Administrator access to both Keycloak and LDAP
  • Java 17 installed on the system running Keycloak

Step 1: Start Keycloak

If Keycloak isn’t running yet, start it using the following command:

bin/kc.sh start-dev

Access Keycloak at: http://localhost:8080

Login with your admin credentials.

Step 2: Configure LDAP in Keycloak

  1. Navigate to LDAP Configuration:
    • Go to Keycloak Admin ConsoleUser Federation.
    • Click Add provider and select LDAP.
  2. Set up LDAP Connection:
    • Edit Connection Details:
      • Vendor: Active Directory or Other
      • Connection URL: ldap://<LDAP_SERVER>:389 (For Secure LDAP use ldaps://<LDAP_SERVER>:636)
      • Bind Type: simple
      • Bind DN: cn=admin,dc=example,dc=com
      • Bind Credential: your_ldap_admin_password
  3. Configure User Search Settings:
    • Users DN: dc=example,dc=com
    • Username LDAP Attribute: uid (for OpenLDAP) or sAMAccountName (for AD)
    • RDN LDAP Attribute: cn
    • UUID LDAP Attribute: entryUUID
    • User Object Classes: inetOrgPerson
  4. Synchronization Settings:
    • Edit Mode: READ_ONLY (users can authenticate but cannot be modified from Keycloak)
    • Sync Registrations: ON (Optional: Users created in Keycloak are stored in LDAP)
    • Periodic Full Sync: Enable if required
  5. Save and Test Connection
    • Click Test connection to verify the connection.
    • Click Test authentication to confirm credentials.
    • Click Save.

Step 3: Sync Users from LDAP

Once configured, sync users from LDAP:

  1. Navigate to User Federation → LDAP → Synchronization Actions.
  2. Click Sync all users to pull users from LDAP.
  3. Go to Users in Keycloak to verify LDAP users appear.

Step 4: Test LDAP Authentication

  1. Logout of the Keycloak admin console.
  2. Try logging in with an LDAP user account.
  3. If authentication is successful, the setup is complete.

Optional: Enable Role Mappings from LDAP

If LDAP groups need to be mapped to Keycloak roles:

  1. Under User Federation → LDAP, enable Import Groups.
  2. Define Group DN and mappings.
  3. Save and sync groups.

Conclusion

You’ve successfully integrated Keycloak with LDAP for identity federation. Now, users can authenticate against the LDAP directory while Keycloak manages authentication and authorization for your applications.

Next Steps:

  • Configure SSO with Keycloak
  • Enable LDAP password policies
  • Integrate OAuth 2.0/OpenID Connect authentication

Stay tuned for more Keycloak tutorials!

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *