[keycloak-dev] Specifying LDAP/AD domain in login/token endpoint

Mon Sep 23 17:46:34 EDT 2019

Hi all,

Apologies for sending this in the developer’s mailing list. But I was not getting any reply in the user’s list since few weeks and decided to see if I can get any help from here.

I have a multi-tenant SSO use-case where a set of application can be used by multiple organizations with their owns LDAP/AD configurations. I am trying to secure those applications using Keycloak and pretty much successful in doing so by adding individual organization’s LDAP configs in User Federation tab.

However, I observed that for authentication from LDAPs, keycloak goes through all the LDAP configs added one by one, either by the order of their addition in Keycloak or by the priorities set in configuration, to check for the user credential until desired username and password matches. This is causing two main issues –

  1.  If same username is part of two organizations, it causes failure even when correct credentials belonging in a later LDAP are passed to the login/token API. Keycloak finds the same username in the first LDAP and sees the password is different and hence returns failure.
  2.  Keycloak does not provide failover for LDAPs. Thus, if one of the LDAP servers is down, authentication from all the successive LDAPs will fail.

Can we instead have a solution where user can specify his/her organization’s domain along with the username, so that keycloak points directly to that particular LDAP config and not look into other LDAPs. This will solve both of the above problems.

For example, we have same username ‘ajinkya.thakare’ in two organization’s domains ‘company1’ and ‘company2’. On the login page, if user can provide ‘ajinkya.thakare at company2’, keycloak should point to the LDAP config for company2 only. Here issue 1 is solved since the credentials for ‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence not causing any failure for correct credentials from company2. Issue 2 is also solved since LDAP server for company 1 may be down sometimes, but we are not concerned with that anymore and hence enabling failover for LDAPs.

Please let me know if this can be already achieved by any means. Or if there is any workaround for the same.

Regards,
Ajinkya Thakare