Funny, the application I am talking about is Gatein/eXo actually :) Thanks for your answers Marek. Looks like replacing Picketlink by Keycloak will not be as straight forward as I initially thought. It will require architecture changes, will impact configuration, custom developments and will require data migration if we want to use it. Le 7 août 2017 12:53, "Marek Posolda" <mposolda(a)redhat.com&gt; a écrit : Glad that someone is still using picketlink 1.4. It reminds me some old days when, I was working on GateIn Portal, which was using Picketlink 1.4 :) But I agree that it is good to migrate :) Answers inline. On 07/08/17 11:07, Thomas DELHOMENIE wrote: Not directly. Keycloak is meant to be used as a server and do it for you. Once user successfully authenticates, the details are available in his accessToken. Application doesn't know from which source (LDAP server) this info came from, it's not the responsibility of the application. Also Keycloak has admin REST API, which allows you to search for users and return corresponding JSON objects with user details. We have nice admin client, which allows you to easily execute this REST API from Java application. * we provide the capability for the administrators of our application to We have admin REST API and everything, which is doable in Keycloak admin console, can be also done through admin REST API. In latest 3.2.1 version there is more fine grained admin permissions model, which should allow you to specify permission for admins in more fine grained way if needed. Marek