[keycloak-user] Clarifications regarding advanced authentications (LDAP, Kerberos, SAML)

Michael Furman michael_furman at hotmail.com
Fri Nov 11 06:31:15 EST 2016

Hi Stian,
I will happy for additional clarifications:

  1.  Is it possible to perform only authentication against LDAP?
Just provide user name and password and keycloak authenticates it against LDAP.
  2.  Where the LDAP user password is stored? In keycloak DB? In LDAP?
  3.  Is it possible to use LDap User federation with other types of the authentications?
For example with additional user provider?

From: Stian Thorgersen <sthorger at redhat.com>
Sent: Friday, November 4, 2016 7:39 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Clarifications regarding advanced authentications (LDAP, Kerberos, SAML)

On 3 November 2016 at 06:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I will happy for clarifications regarding advanced authentications (LDAP, Kerberos, SAML).

  1.  Why Kerberos is "User Federation" but SAML is "Identity Provider"?
Both are SSO protocols (I do understand difference between protocols but it is seamless from the user point of view).

Identity Brokering are for Web SSO IdPs. It works by redirecting the user.

User federation works by reading users from external sources.

Kerberos when used with LDAP is just an authenticator, but there's also a federation provider so it can be used without LDAP in which case only the username is available and the rest has to be filled in manually by the user.

What is the difference between User Federation and Identity Provider in Keycloak?
Will Keycloak import all users from the defined in "User Federation" into internal database?

  2.  How I incorporate "User Federation" or "Identity Provider" into the authentication flow?
I see that I can add "Identity Provider Redirector" but how I add "User Federation"?

Identity provider is a redirect and user has to click a button or you setup the default one.

User federation works by looping through providers until a match for the username is found.

  3.  Regarding LDAP:  I have added LDAP User Federation.
The "Test connection" and the "Test authentication" pass successfully but I can not authenticate LDAP users in UI.
What I have missed?
Should I add LDAP to the authentication flow?

You may not have configured it properly and it can't find the user within LDAP. Test connection / authentication just checks that Keycloak can connect to LDAP, not that it can find a specific user.

Thank you in advance for your help.

keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

More information about the keycloak-user mailing list