<div dir="ltr">Thanks for the Insight Marek, Since we are building newer applications and have no LEGACY application that require LDAP, I think it's clear for us to store our users in KEYCLOAK and use SAML or OpenID protocol for Identity Management Interoperability. If we to inherit some LEGACY applications in the future we can the point our KEYCLOAK server at those repository and have KEYCLOAK be the Single Source. Sound reasonable?<div><br></div><div>We appreciate your feedback and experiences.</div><div><br></div><div>Regards </div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Dec 22, 2015 at 3:02 PM Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>You can plug LDAP into Keycloak as user
federation provider (See Keycloak docs), but still Keycloak also
needs to store users in it's internal database. That's because
Keycloak has various user's internal metadata specific to it's
logic. So usually just some parts of user are stored in LDAP (you
can control with LDAP mappers what exactly), but all the other
stuff is used in Keycloak database.<br>
<br>
Integrating Keycloak with LDAP is useful especially in case that
you have:<br>
- Existing user base stored in LDAP<br>
- Other systems or applications, which are compatible with LDAP
and needs to read user informations from there<br>
<br>
If none of those is applicable for you, then it's best to skip
LDAP and just use Keycloak internal database. There is no need to
store info about user accounts in 2 places if there is no reason
for that.<br>
<br>
Marek</div></div><div text="#000000" bgcolor="#FFFFFF"><div><br>
<br>
On 22/12/15 14:51, Christopher Wallace wrote:<br>
</div></div><div text="#000000" bgcolor="#FFFFFF"><blockquote type="cite">
<div dir="ltr">We are building a new application with RBAC
Security Model, we always attempt to use as much COTs
functionality of our technology stack as possible. We are
working with 1.7 version of KEYCLOAK for SSO (Thank you for this
product by the way) We are at a decision point of where to
persist our users, roles and permissions. We considered LDAP,
but then with the introduction of composite roles into KEYCLOAK
there was consolidation could we support users and roles
directly in KEYCLOAK and permissions in our datastore. My
question to the group what is the best practice? Is there value
in having the additional LDAP user repository? Most places my
experience is there is both LDAP or AD and SSO I wanted to keep
the email fairly short, but if you have additional questions
please feel free.
<div><br>
</div>
<div>Thank You!</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote></div><div text="#000000" bgcolor="#FFFFFF"><blockquote type="cite"><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div>