User Federation with Active Directory / LDAP

Created by Tass Skoudros, Modified on Fri, 11 Nov 2022 at 09:48 AM by Tass Skoudros

Click on ‘User Federation’ on the left pane to navigate to the user federation window. Select ‘LDAP’ from the drop-down selector to navigate further.

In the ‘Add user storage provider’ window, there is a lot to fill up. Let go through them one by one. 

  1. Select ‘Active Directory’ as the vendor to fill the fields ‘Username LDAP attribute’, ‘RDN LDAP attribute’, ‘UUID LDAP attribute’ and ‘User Object classes’ automatically.
  2. As the connection url, use ‘ldap://’ or ‘ldaps://’ followed by domain name. Click on ‘test connection’ to see if the LDAP connection works. 
  3. Type ‘dsquery user -name ’ followed by the administrator’s name to get the ‘Bind DN’ and ‘Users DN’. Use the administrator password as the ‘Bind Credentials’ and click ‘Test Authentication’ to check whether it is correct.
  • Bind DN in below example is “CN=Administrator,CN=Users,DC=dhruv,DC=demo" 
  • Users DN in below example is “CN=Users,DC=dhruv,DC=demo”

  1. Enter if any custom user LDAP filter is required. 
  2. Periodic full and changed user sync of LDAP users to Keyclock can be enabled from sync settings. 
  3. Click on save and execute to sync users button.

Add Group to Keyclock Group sync mapper

  1. Provide the LDAP Groups DN to sync the groups.
  2. Groups DN is “OU=Groups,DC=dhruv,DC=demo” in the below example

  1. The rest of the fields can be left default and customisable based on the need.
  2. Once saved, you need to see a new button enabled to perform sync groups from AD to Keycloak.

Add Group to Keycloak Role Sync Mapper 

  1. Provide the Role Groups DN to sync the groups.

  1. Groups DN is “OU=Roles,DC=dhruv,DC=demo” in the below example Rest of the fields can be left default and customisable based on the need. 
  2. Once saved you will see a new button to perform role sync to keycloak from AD.

Post Validations

Check user sync is completed successfully by verifying the password provided by an Active directory user.

  • Perform login with Active Directory User and verify that you are able to login

  • Verify the AD groups are synced as Keycloak Groups or Roles based on the mapper chosen

In Active Directory

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article