[keycloak-dev] Specifying LDAP/AD domain in login/token endpoint

Stian Thorgersen sthorger at redhat.com
Tue Sep 24 04:37:38 EDT 2019 

The developer mailing list is purely to discuss development and
contributions to Keycloak. Please don't use it for questions and help.

On Mon, 23 Sep 2019, 23:48 Ajinkya Thakare, <Ajinkya.Thakare at veritas.com>
wrote:

> Hi all,
>
> Apologies for sending this in the developer’s mailing list. But I was not
> getting any reply in the user’s list since few weeks and decided to see if
> I can get any help from here.
>
> I have a multi-tenant SSO use-case where a set of application can be used
> by multiple organizations with their owns LDAP/AD configurations. I am
> trying to secure those applications using Keycloak and pretty much
> successful in doing so by adding individual organization’s LDAP configs in
> User Federation tab.
>
> However, I observed that for authentication from LDAPs, keycloak goes
> through all the LDAP configs added one by one, either by the order of their
> addition in Keycloak or by the priorities set in configuration, to check
> for the user credential until desired username and password matches. This
> is causing two main issues –
>
>
>   1.  If same username is part of two organizations, it causes failure
> even when correct credentials belonging in a later LDAP are passed to the
> login/token API. Keycloak finds the same username in the first LDAP and
> sees the password is different and hence returns failure.
>   2.  Keycloak does not provide failover for LDAPs. Thus, if one of the
> LDAP servers is down, authentication from all the successive LDAPs will
> fail.
>
> Can we instead have a solution where user can specify his/her
> organization’s domain along with the username, so that keycloak points
> directly to that particular LDAP config and not look into other LDAPs. This
> will solve both of the above problems.
>
> For example, we have same username ‘ajinkya.thakare’ in two organization’s
> domains ‘company1’ and ‘company2’. On the login page, if user can provide
>ajinkya.thakare at company2’, keycloak should point to the LDAP config for
> company2 only. Here issue 1 is solved since the credentials for
> ‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence
> not causing any failure for correct credentials from company2. Issue 2 is
> also solved since LDAP server for company 1 may be down sometimes, but we
> are not concerned with that anymore and hence enabling failover for LDAPs.
>
> Please let me know if this can be already achieved by any means. Or if
> there is any workaround for the same.
>
> Regards,
> Ajinkya Thakare
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list