[keycloak-user] migrate users from legacy user storage
Adrian Matei
adrianmatei at gmail.com
Wed Sep 20 04:50:33 EDT 2017
Hi guys,
our keycloak uses currently AD as the main user storage provider for
passwords. We need to bind a legacy User Storage Provider and locally
import the users in Keycloak.
I have used the strategy described at Import Implementation Strategy
section
<https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html-single/server_developer_guide/#import_implementation_strategy>,
and were able to either:
1. keep the password and username in legacy system and take care of
synchronizations
2. remove the federation and update the password in Keycloak DB in the
overridden *CredentialInputValidator.isValid* method with code stolen
from Keycloak own's *PasswordCredentialProvider*
For now I am in favour of the second option, but than it means there are
still *two* user password storages (AD and Keycloak DB)...
My question is whether the second approach sounds reasonable, or is there a
*third* way to "migrate" the password to Active Directory when the
validation is checked?
Cheers,
Adrian
More information about the keycloak-user
mailing list