[keycloak-user] Clarifications regarding advanced authentications (LDAP, Kerberos, SAML)

Stian Thorgersen sthorger at redhat.com
Fri Nov 4 01:39:08 EDT 2016

On 3 November 2016 at 06:08, Michael Furman <michael_furman at hotmail.com>

> Hi all,
> I will happy for clarifications regarding advanced authentications (LDAP,
> Kerberos, SAML).
>   1.  Why Kerberos is "User Federation" but SAML is "Identity Provider"?
> Both are SSO protocols (I do understand difference between protocols but
> it is seamless from the user point of view).

Identity Brokering are for Web SSO IdPs. It works by redirecting the user.

User federation works by reading users from external sources.

Kerberos when used with LDAP is just an authenticator, but there's also a
federation provider so it can be used without LDAP in which case only the
username is available and the rest has to be filled in manually by the user.

> What is the difference between User Federation and Identity Provider in
> Keycloak?
> Will Keycloak import all users from the defined in "User Federation" into
> internal database?
>   2.  How I incorporate "User Federation" or "Identity Provider" into the
> authentication flow?
> I see that I can add "Identity Provider Redirector" but how I add "User
> Federation"?

Identity provider is a redirect and user has to click a button or you setup
the default one.

User federation works by looping through providers until a match for the
username is found.

>   3.  Regarding LDAP:  I have added LDAP User Federation.
> The "Test connection" and the "Test authentication" pass successfully but
> I can not authenticate LDAP users in UI.
> What I have missed?
> Should I add LDAP to the authentication flow?

You may not have configured it properly and it can't find the user within
LDAP. Test connection / authentication just checks that Keycloak can
connect to LDAP, not that it can find a specific user.

> Thank you in advance for your help.
> Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list