[keycloak-user] Synchoronising TOTP with LDAP
Marek Posolda
mposolda at redhat.com
Tue Jan 24 06:42:35 EST 2017
It seems that ssoTotpValue is the custom LDAP attribute specific to your
LDAP schema? Does it contain the TOTP secret of particular user?
What you can do is, that you configure the UserAttribute LDAP mapper for
your LDAP provider for the attribute ssoTotpValue. Then you will see
that "ssoTotpValue" will be in user attributes of particular user in
Keycloak. So that would be the first step.
Once that is working, it seems that you will need to add your own
implementation of credential storage for OTP. It seems that adding your
own UserCredentialStore implementation won't work for LDAP users ATM,
but you can likely add your own CredentialProvider for TOTP credentials.
You can create subclass of OTPCredentialProvider and override some
methods (like onCache for instance, where you can add your own
CredentialModel retrieved from the ssoTotpValue attribute of particular
user).
Other alternative is to create your own OTPAuthenticator if you don't
manage to have the CredentialProvider working.
Marek
On 17/01/17 03:59, Liam Maruff wrote:
> My organisation is transitioning from a legacy authentication mechanism to
> OpenID Connect using Keycloak. The current system stores TOTP data in an
> LDAP store under a field named ssoTotpValue.
>
> Is it possible for us to allow users to continue using their existing TOTP
> configuration by mapping the ssoTotpValue from the existing LDAP store into
> Keycloak? If not, how what other mechanism are available for us to
> accomplish this goal?
>
> Regards,
>
> Liam M
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list