4:46 p.m.
Hi all,
Apologies for sending this in the developer’s mailing list. But I was not getting any
reply in the user’s list since few weeks and decided to see if I can get any help from
here.
I have a multi-tenant SSO use-case where a set of application can be used by multiple
organizations with their owns LDAP/AD configurations. I am trying to secure those
applications using Keycloak and pretty much successful in doing so by adding individual
organization’s LDAP configs in User Federation tab.
However, I observed that for authentication from LDAPs, keycloak goes through all the LDAP
configs added one by one, either by the order of their addition in Keycloak or by the
priorities set in configuration, to check for the user credential until desired username
and password matches. This is causing two main issues –
1. If same username is part of two organizations, it causes failure even when correct
credentials belonging in a later LDAP are passed to the login/token API. Keycloak finds
the same username in the first LDAP and sees the password is different and hence returns
failure.
2. Keycloak does not provide failover for LDAPs. Thus, if one of the LDAP servers is
down, authentication from all the successive LDAPs will fail.
Can we instead have a solution where user can specify his/her organization’s domain along
with the username, so that keycloak points directly to that particular LDAP config and not
look into other LDAPs. This will solve both of the above problems.
For example, we have same username ‘ajinkya.thakare’ in two organization’s domains
‘company1’ and ‘company2’. On the login page, if user can provide
‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for company2 only.
Here issue 1 is solved since the credentials for ‘ajinkya.thakare’ in company1’s domain
are not checked anytime and hence not causing any failure for correct credentials from
company2. Issue 2 is also solved since LDAP server for company 1 may be down sometimes,
but we are not concerned with that anymore and hence enabling failover for LDAPs.
Please let me know if this can be already achieved by any means. Or if there is any
workaround for the same.
Regards,
Ajinkya Thakare
3:37 a.m.
The developer mailing list is purely to discuss development and
contributions to Keycloak. Please don't use it for questions and help.
On Mon, 23 Sep 2019, 23:48 Ajinkya Thakare, <Ajinkya.Thakare(a)veritas.com>
wrote:
Hi all,
Apologies for sending this in the developer’s mailing list. But I was not
getting any reply in the user’s list since few weeks and decided to see if
I can get any help from here.
I have a multi-tenant SSO use-case where a set of application can be used
by multiple organizations with their owns LDAP/AD configurations. I am
trying to secure those applications using Keycloak and pretty much
successful in doing so by adding individual organization’s LDAP configs in
User Federation tab.
However, I observed that for authentication from LDAPs, keycloak goes
through all the LDAP configs added one by one, either by the order of their
addition in Keycloak or by the priorities set in configuration, to check
for the user credential until desired username and password matches. This
is causing two main issues –
1. If same username is part of two organizations, it causes failure
even when correct credentials belonging in a later LDAP are passed to the
login/token API. Keycloak finds the same username in the first LDAP and
sees the password is different and hence returns failure.
2. Keycloak does not provide failover for LDAPs. Thus, if one of the
LDAP servers is down, authentication from all the successive LDAPs will
fail.
Can we instead have a solution where user can specify his/her
organization’s domain along with the username, so that keycloak points
directly to that particular LDAP config and not look into other LDAPs. This
will solve both of the above problems.
For example, we have same username ‘ajinkya.thakare’ in two organization’s
domains ‘company1’ and ‘company2’. On the login page, if user can provide
‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for
company2 only. Here issue 1 is solved since the credentials for
‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence
not causing any failure for correct credentials from company2. Issue 2 is
also solved since LDAP server for company 1 may be down sometimes, but we
are not concerned with that anymore and hence enabling failover for LDAPs.
Please let me know if this can be already achieved by any means. Or if
there is any workaround for the same.
Regards,
Ajinkya Thakare
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1921
days inactive
1922
days old
1 comments
2 participants
participants (2)
-
Ajinkya Thakare -
Stian Thorgersen