I am sorry but I forgot to mention in my mail that client is running on EAP7 environment. Original Question: Currently in our application we use LDAP and each LDAP role is mapped to multiple CRUD permissions roles with in the application. For example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department and etc. We are adding these enumerated roles by extending LdapExtLoginModule. Now we are planning to switch to Keycloak (rh-sso), what is the best approach to achieve this? According to the issue https://issues.jboss.org/browse/KEYCLOAK-1382 , looks like extending LoginModule is not an option*.* Also, so far I have tried to override wildfly request authenticator but ran to class loading issues. Here are code snippets for overridden implementations: *public* *class* CustomWildflyKeycloakServletExtension*extends* KeycloakServletExtension { *protected* *static* Logger *log* = Logger.*getLogger*( WildflyKeycloakServletExtension.*class*); @Override *protected* ServletKeycloakAuthMech createAuthenticationMechanism( DeploymentInfodeploymentInfo, AdapterDeploymentContext deploymentContext, UndertowUserSessionManagementuserSessionManagement, NodesRegistrationManagementnodesRegistrationManagement) { *log*.info("Creating CustomWildflyKeycloakServletExtension"); *return* *new* CustomWildflyAuthenticationMachanism(deploymentContext , userSessionManagement, nodesRegistrationManagement, deploymentInfo.getConfidentialPortManager(), getErrorPage(deploymentInfo)); } } -------- *public* *class* CustomWildflyAuthenticationMachanism*extends* WildflyAuthenticationMechanism { *public* CustomWildflyAuthenticationMachanism(AdapterDeploymentContext deploymentContext, UndertowUserSessionManagementuserSessionManagement, NodesRegistrationManagementnodesRegistrationManagement, ConfidentialPortManagerportManager, String errorPage) { *super*(deploymentContext, userSessionManagement, nodesRegistrationManagement, portManager, errorPage); } @Override *protected* ServletRequestAuthenticator createRequestAuthenticator( KeycloakDeploymentdeployment, HttpServerExchange exchange, SecurityContextsecurityContext, UndertowHttpFacade facade) { *int* confidentialPort = getConfidentilPort(exchange); AdapterTokenStore tokenStore = getTokenStore(exchange, facade, deployment,securityContext); *return* *new* CustomWildflyRequestAuthenticator(facade,deployment, confidentialPort, securityContext, exchange, tokenStore); } } -------- *public* *class* CustomWildflyRequestAuthenticator *extends*WildflyRequestAuthenticator { *public* CustomWildflyRequestAuthenticator(HttpFacadefacade, KeycloakDeployment deployment, *int*sslRedirectPort, SecurityContext securityContext, HttpServerExchangeexchange, AdapterTokenStore tokenStore) { *super*(facade, deployment, sslRedirectPort,securityContext, exchange , tokenStore); } @Override *protected* Group[] getRoleSets(Collection<String> roleSet) { ArrayList<Group> groups = Lists.*newArrayList*(*super*.getRoleSets( roleSet)); // Planning to add client specific roles here. *return* groups.toArray(*new* Group[0]); } } But I ran into some class loading issues, [I have checked the modules that were added as part of the adapter and see the all jars exists]. I am not sure what could be the issue here: 10:33:05,230 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 67) MSC000001: Failed to start service jboss.undertow.deployment. default-server.default-host./eligibility: *org.jboss.msc.service.StartException* in service jboss.undertow.deployment. default-server.default-host./eligibility: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/HttpFacade at org.wildfly.extension.undertow.deployment. UndertowDeploymentService$1.run(*UndertowDeploymentService.java:85*) at java.util.concurrent.Executors$RunnableAdapter.call( *Executors.java:511*) [rt.jar:1.8.0_131-1-redhat] at java.util.concurrent.FutureTask.run(*FutureTask.java:266*) [rt.jar:1.8.0_131-1-redhat] at java.util.concurrent.ThreadPoolExecutor.runWorker( *ThreadPoolExecutor.java:1142*) [rt.jar:1.8.0_131-1-redhat] at java.util.concurrent.ThreadPoolExecutor$Worker.run( *ThreadPoolExecutor.java:617*) [rt.jar:1.8.0_131-1-redhat] at java.lang.Thread.run(*Thread.java:748*) [rt.jar:1.8.0_131-1-redhat] at org.jboss.threads.JBossThread.run(*JBossThread.java:320*) [jboss-threads-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1] Caused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/ HttpFacade at org.test.keycloak.adapters.CustomWildflyKeycloakServletExtension. createAuthenticationMechanism( *CustomWildflyKeycloakServletExtension.java:21*) at org.keycloak.adapters.undertow.KeycloakServletExtension. handleDeployment(*KeycloakServletExtension.java:144*) at io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions( *DeploymentManagerImpl.java:252*) at io.undertow.servlet.core.DeploymentManagerImpl.deploy( *DeploymentManagerImpl.java:152*) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService.startContext(*UndertowDeploymentService.java:100*) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService$1.run(*UndertowDeploymentService.java:82*) ... 6 more Caused by: *java.lang.ClassNotFoundException*: org.keycloak.adapters.spi.HttpFacade from [Module "deployment.eligibility.war:main" from Service Module Loader] at org.jboss.modules.ModuleClassLoader.findClass( *ModuleClassLoader.java:196*) [jboss-modules.jar:1.5.3.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked( *ConcurrentClassLoader.java:363*) [jboss-modules.jar:1.5.3.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClass( *ConcurrentClassLoader.java:351*) [jboss-modules.jar:1.5.3.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.loadClass( *ConcurrentClassLoader.java:93*) [jboss-modules.jar:1.5.3.Final-redhat-1] ... 12 more The other option is to add custom SPI implementation. But I wanted to make sure that I am on right path here. Thank you very much and highly appreciate any help. Thanks, Ravi G. On Feb 5, 2018 2:04 PM, "Ravi Kiran" <rkgunnam120(a)gmail.com&gt; wrote: Currently in our application we use LDAP and each LDAP role is mapped to multiple CRUD permissions roles with in the application. For example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department and etc. We are adding these enumerated roles by extending LdapExtLoginModule. Now we are planning to switch to Keycloak (rh-sso), what is the best approach to achieve this? According to the issue, https://issues.jboss.org/browse/KEYCLOAK-1382, looks like extending LoginModule is not an option. Thank you and appreciate it.