By default you are importing first name, surname, email and username. You can import more attributes by creating additional LDAP mappers. But no password imported from MSAD to Keycloak DBI am looking to use KeyCloak backed by an AD server.Can I check a few things that I understand are correct.
1) Using the User Federation SPI I import the following from ActiveDirectory into the KeyCloak database : first name, surname, email, username and password.
No, password checks are made against ActiveDirectory. Just if you have editMode UNSYNCED and you change the password of the user (or he change it himself in account management), then the new password will be saved into Keycloak DB and will be used in favor of the old password from MSAD.2) Password checks are made against the Keycloak database and not the ActiveDirectory system
Yes. See our Kerberos documentation for more details [1].3) Enabling kerberos authentication will allow me to do paswordless login using my web browser from my windows box
Hope I am not to far from the mark
Chris
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user