Skip to main content

User Federation For SSO Login

This document covers On-boarding users via Keycloak federation and On-boarding LDAP connected applications. The LDAP connector is not needed to link Keycloak to LDAP.

Settings Information

This assumes that LDAP bind user can add users to LDAP.

  • If LDAP (user federation) is set to edit mode , sync registrations is on and import users is on in Keycloak.
    • Then the user will be added to LDAP at the base of the Users DN set in Keycloak.
    • The user’s Credential will be listed as Provided By LDAP.
    • The user’s will get an random password in LDAP.
  • If LDAP (User Federation) is set to read only and Import Users is on or off in Keycloak.
    • The user’s Credential will be listed as Provided By Keycloak.
    • If the user is later added to LDAP Keycloak sync will fail for that user.
  • If LDAP (User Federation) is set to Edit Mode, Sync Registrations is off and Import Users is on or off in Keycloak.
    • The user’s Credential will be listed as Provided By Keycloak.
    • If the user is later added to LDAP Keycloak sync will fail for that user.
  • If LDAP (User Federation) is set to Edit Mode , Sync Registrations is on and Import Users is on in Keycloak, and you have an mapper error.
    • No error will be shown and user will not be added to Keycloak or LDAP.

Tenant Configuration

  1. Go to Keycloak admin for your tenant.
  2. Under IDHub Realm go to User Federation.
  3. Pick LDAP under add Provider.
  4. Setting will very based on your LDAP directory config.
  5. Save and Synchronize all user (any errors will pop up with number users imported).
  6. Go to Manage/users and check that the LDAP users show up.