Hi all,
I have a multi-tenant SSO use-case where a set of application can be used by multiple
organizations with their owns LDAP/AD configurations. I am trying to secure those
applications using Keycloak and pretty much successful in doing so by adding individual
organization’s LDAP configs in User Federation tab.
However, I observed that for authentication from LDAPs, keycloak goes through all the LDAP
configs added one by one, either by the order of their addition in Keycloak or by the
priorities set in configuration, to check for the user credential until desired username
and password matches. This is causing two main issues –
1. If same username is part of two organizations, it causes failure even when correct
credentials belonging in a later LDAP are passed to the login/token API. Keycloak finds
the same username in the first LDAP and sees the password is different and hence returns
failure.
2. Keycloak does not provide failover for LDAPs. Thus, if one of the LDAP servers is
down, authentication from all the successive LDAPs will fail.
Can we instead have a solution where user can specify his/her organization’s domain along
with the username, so that keycloak points directly to that particular LDAP config and not
look into other LDAPs. This will solve both of the above problems.
For example, we have same username ‘ajinkya.thakare’ in two organization’s domains
‘company1’ and ‘company2’. On the login page, if user can provide
‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for company2 only.
Here issue 1 is solved since the credentials for ‘ajinkya.thakare’ in company1’s domain
are not checked anytime and hence not causing any failure for correct credentials from
company2. Issue 2 is also solved since LDAP server for company 1 may be down sometimes,
but we are not concerned with that anymore and hence enabling failover for LDAPs.
Please let me know if this can be already achieved by any means. Or if there is any
workaround for the same.
Regards,
Ajinkya Thakare