[keycloak-user] migrate users from legacy user storage

Adrian Matei adrianmatei at gmail.com
Wed Sep 20 04:50:33 EDT 2017


Hi guys,

our keycloak uses currently AD as the main user storage provider for
passwords. We need to bind a legacy User Storage Provider and locally
import the users in Keycloak.
I have used the strategy described at  Import Implementation Strategy
section
<https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html-single/server_developer_guide/#import_implementation_strategy>,
and were able to either:

   1. keep the password and username in legacy system and take care of
   synchronizations
   2. remove the federation and update the password in Keycloak DB in the
   overridden *CredentialInputValidator.isValid* method with code stolen
   from Keycloak own's *PasswordCredentialProvider*

For now I am in favour of the second option, but than it means there are
still *two* user password storages (AD and Keycloak DB)...

My question is whether the second approach sounds reasonable, or is there a
*third* way to "migrate" the password to Active Directory when the
validation is checked?

Cheers,
Adrian


More information about the keycloak-user mailing list