The developer mailing list is purely to discuss development and
contributions to Keycloak. Please don't use it for questions and help.
On Mon, 23 Sep 2019, 23:48 Ajinkya Thakare, <Ajinkya.Thakare(a)veritas.com>
Apologies for sending this in the developer’s mailing list. But I was not
getting any reply in the user’s list since few weeks and decided to see if
I can get any help from here.
I have a multi-tenant SSO use-case where a set of application can be used
by multiple organizations with their owns LDAP/AD configurations. I am
trying to secure those applications using Keycloak and pretty much
successful in doing so by adding individual organization’s LDAP configs in
User Federation tab.
However, I observed that for authentication from LDAPs, keycloak goes
through all the LDAP configs added one by one, either by the order of their
addition in Keycloak or by the priorities set in configuration, to check
for the user credential until desired username and password matches. This
is causing two main issues –
1. If same username is part of two organizations, it causes failure
even when correct credentials belonging in a later LDAP are passed to the
login/token API. Keycloak finds the same username in the first LDAP and
sees the password is different and hence returns failure.
2. Keycloak does not provide failover for LDAPs. Thus, if one of the
LDAP servers is down, authentication from all the successive LDAPs will
Can we instead have a solution where user can specify his/her
organization’s domain along with the username, so that keycloak points
directly to that particular LDAP config and not look into other LDAPs. This
will solve both of the above problems.
For example, we have same username ‘ajinkya.thakare’ in two organization’s
domains ‘company1’ and ‘company2’. On the login page, if user can provide
‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for
company2 only. Here issue 1 is solved since the credentials for
‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence
not causing any failure for correct credentials from company2. Issue 2 is
also solved since LDAP server for company 1 may be down sometimes, but we
are not concerned with that anymore and hence enabling failover for LDAPs.
Please let me know if this can be already achieved by any means. Or if
there is any workaround for the same.
keycloak-dev mailing list