It seems that ssoTotpValue is the custom LDAP attribute specific to your
LDAP schema? Does it contain the TOTP secret of particular user?
What you can do is, that you configure the UserAttribute LDAP mapper for
your LDAP provider for the attribute ssoTotpValue. Then you will see
that "ssoTotpValue" will be in user attributes of particular user in
Keycloak. So that would be the first step.
Once that is working, it seems that you will need to add your own
implementation of credential storage for OTP. It seems that adding your
own UserCredentialStore implementation won't work for LDAP users ATM,
but you can likely add your own CredentialProvider for TOTP credentials.
You can create subclass of OTPCredentialProvider and override some
methods (like onCache for instance, where you can add your own
CredentialModel retrieved from the ssoTotpValue attribute of particular
Other alternative is to create your own OTPAuthenticator if you don't
manage to have the CredentialProvider working.
On 17/01/17 03:59, Liam Maruff wrote:
My organisation is transitioning from a legacy authentication
OpenID Connect using Keycloak. The current system stores TOTP data in an
LDAP store under a field named ssoTotpValue.
Is it possible for us to allow users to continue using their existing TOTP
configuration by mapping the ssoTotpValue from the existing LDAP store into
Keycloak? If not, how what other mechanism are available for us to
accomplish this goal?
keycloak-user mailing list