[keycloak-dev] User prinicipal name with multiple backend MSAD servers

Marek Posolda mposolda at redhat.com
Wed Jan 10 03:26:48 EST 2018

Yes, it's possible that we need some more flexibility here. Feel free to 
create JIRA for better support this, but not sure when it's fixed. For 
the meantime, yes. You can create your own provider.


On 09/01/18 19:44, Mariusz Godlewski wrote:
> Hello,
> I'm considering deployement of Keycloak serving as an OAuth2 / Open ID
> provider for users managed in multiple MS Active Directory and Active
> Directory Lightweight services. For internal desktop users Kerberos should
> be used to prevent credentials re-entry following log-on to domain-joined
> computer.
> The tricky part is that usernames are considered to be unique only withing
> single AD domain, so username 'godlewsm' can exists both in Kerberos realm
> ACMEPL.LOCAL AND ACMECZ.LOCAL. For LDAP storage provider (
> https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java#L684
> )
> there is assumption that only username part of principal name would be used
> further, which prevents distinguishing accounts properly.
> Is there plan to change this behaviour or the only way would be implement a
> custom UserStorageProvider based on LDAPStorageProvider ?
> Best regards,
> Mariusz Godlewski
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list