Keycloak supports LDAP and Active Directory out of the box, enabling rapid integration with these popular directories. For other types of databases or custom user data solutions, Keycloak provides a User Storage SPI (Service Provider Interface), allowing developers to create custom plugins that can connect Keycloak to virtually any data source. This blog will walk through the steps and best practices for setting up and configuring user storage federation in Keycloak.
How User Storage Federation Works
Keycloak's user federation functionality follows a straightforward process that enhances flexibility in user authentication.
- Login Process : When a user attempts to log in, Keycloak first checks its internal user store to see if the user exists locally.
- Federation Process : If Keycloak doesn’t find the user in its internal store, it automatically moves through each configured external User Storage provider associated with that realm until it finds a matching user.
- Data Mapping : Data retrieved from external sources is transformed into a standardized format, or "common user model," which Keycloak can easily interpret. This standard model can then be used to generate OpenID Connect (OIDC) token claims and SAML assertion attributes for applications that rely on Keycloak for authentication.
Handling Missing Data in External Stores
External user databases may not always contain all the attributes that Keycloak requires for its features. In these cases, Keycloak allows for flexible handling of missing data. The User Storage Provider can be configured to store specific data locally within Keycloak. This enables Keycloak to retain essential user attributes and extend functionality without altering the external database. Some storage providers support syncing, allowing Keycloak to import users from an external database periodically. This feature is helpful in scenarios where Keycloak needs to update user data frequently. If the external store lacks support for features like one-time passwords (OTP), Keycloak can manage and store this information locally, assuming the storage provider supports such configurations.
Adding a User Storage Provider in Keycloak
Adding a storage provider in Keycloak is an easy process that allows administrators to quickly set up connections with external data sources.
- Open the Keycloak Admin Console.
- From the left sidebar, select the User Federation menu item.
Add a New Provider :
- On the User Federation page, locate the Add Provider dropdown menu on the right side. This menu lists various types of external providers, such as LDAP and Kerberos, that Keycloak supports.
- Choose the provider type (e.g., LDAP, Kerberos) that you want to add. Selecting a provider will open a configuration page specific to that provider type.
- On the configuration page, fill in the required details, such as server URL, connection settings, and attribute mappings (e.g., mapping LDAP attributes to Keycloak fields). Adjust any additional options based on your setup needs, then save your changes to complete the integration.
Configure Provider Settings :
- Each provider will have unique configuration settings depending on the type of database it connects to. For LDAP, for instance, you’ll need to input the LDAP server URL, connection settings, user mappings, and other options.
- Customize the configuration as per your organization’s requirements, including mapping user attributes and handling authentication mechanisms.
Save and Test the Configuration :
- After entering the necessary information, save the configuration.
- Test the integration by attempting to log in with a user from the external database to ensure that Keycloak can successfully authenticate and retrieve user data.
Thanks for reading ❤️
This federation capability enables Keycloak to act as a central identity provider across applications, improving security and enhancing the user experience across your organization’s digital landscape. Thank you so much for reading and do check out the resources provided to learn more about the Keycloak. You can click the button below to create your service on Elestio. See you in the next one👋
Top comments (0)