DEV Community: Cloud-IAM

Integrating LDAP into a scalable, secure IAM architecture with Keycloak

Cloud-IAM — Wed, 14 May 2025 11:44:16 +0000

If you're still relying on LDAP to manage identities, you're not alone. It’s stable, proven—and increasingly hard to adapt to cloud, SaaS, and modern security requirements like SSO and MFA.
But does that mean you need to rip it out? Definitely not.
Let’s explore how to modernize your IAM by integrating Keycloak—without disrupting your current infrastructure.

"Should you replace your LDAP with a modern IAM solution?"

In most cases, replacing LDAP is unnecessary—and even risky. A better approach is to connect a modern IAM solution to your existing LDAP infrastructure.

Current Limitations of LDAP

Credential Transmission and Encryption

By default, LDAP transmits credentials in plain text. Encryption must be explicitly configured using TLS or LDAPS. Many deployments still rely on outdated methods like unencrypted simple bind, which should be disabled. Tools like OpenLDAP now simplify TLS setup considerably.

Limited Native Features

LDAP is fundamentally a directory. It doesn’t natively offer:

RBAC/ABAC or contextual access policies
Built-in SSO or MFA
Automated user lifecycle management
Approval workflows or self-service portals

These require an external IAM layer (such as Keycloak). Without automation, user deletion in LDAP won’t propagate to connected applications.

Cloud Integration Challenges

LDAP struggles with modern architectures and protocols:

No native REST API, OAuth2, or SCIM support
Rigid schema that’s hard to scale
Manual provisioning for SaaS applications
No native OpenID Connect, OAuth2, or SAML 2.0 support

Custom connectors or solutions like Red Hat Directory Server can bridge gaps but add maintenance overhead. While LDAP replication (e.g., OpenLDAP MMR) works well at medium scale, multi-cloud environments complicate deployment.

LDAP remains useful as an identity source of truth, especially for legacy systems.

From Monolithic Directories to Identity Orchestration

Rather than eliminating LDAP, the solution lies in repositioning it as the authoritative source of identity, used by an upper orchestration layer that centralizes access, federates identity sources, and enforces modern security policies.

LDAP-to-IAM as an IdP Broker

Migrating to an IAM solution enables organizations to control, automate, and secure the identity lifecycle. It also simplifies federation across multiple identity providers—such as an internal LDAP directory, Azure AD for external collaborators, or Google Workspace for partners—through a unified interface. This mechanism, known as IdP brokering, has become essential in hybrid environments where identities are fragmented.

By integrating an IAM orchestration layer, Single Sign-On (SSO) becomes possible, allowing users to access all their applications through a unified portal, regardless of their original identity provider. IAM acts as a trusted intermediary that secures sessions, applies security policies like Multi-Factor Authentication (MFA) or geofencing, and passes the necessary attributes to applications. Meanwhile, LDAP remains shielded in the background, no longer directly exposed to applications.

IdP Brokering with Keycloak

Keycloak, an open-source IAM solution, is especially well-suited for this purpose. Natively supporting modern standards like OpenID Connect and SAML 2.0, Keycloak seamlessly integrates with LDAP and Active Directory, providing identity orchestration capabilities.

Keycloak enables the creation of roles, the definition of contextual access policies, attribute mapping, and MFA enrollment. It can integrate with legacy applications (with adaptations if needed) and modern cloud platforms. Its robust API allows automation of provisioning and identity lifecycle management, as well as integration with external tools.

In this model, LDAP isn't phased out, but instead repositioned as a reliable and well-defined component. Keycloak synchronizes accounts from LDAP while keeping it hidden from direct exposure. This shift transforms LDAP from a standalone directory into a core part of an identity orchestration system.

Modernizing IAM without throwing everything away

It may be tempting to replace your LDAP directory with an out-of-the-box IAM solution to solve integration, security, and access management challenges all at once. But this radical approach comes with major, often underestimated risks—and can end up costing far more than a progressive integration.

LDAP still plays a critical role in identity governance. Unlike Keycloak, it often connects directly with HR systems (HRIS), managing employee lifecycles and entitlements. Its long-standing historical data is crucial for traceability and compliance.

Governance tools are already connected to LDAP, while business applications use Keycloak for authentication. The challenge lies in moving governance authentication to the cloud while preserving LDAP for its core governance functions. A cloud-hosted Keycloak instance offers a cost-effective alternative to Azure AD with comparable capabilities.

Why Keycloak Is the Best Fit to Orchestrate an LDAP Directory

Instead of replacing your LDAP, it's often wiser to reposition it as a source of truth, orchestrated by a modern IAM solution. Keycloak stands out because it can natively federate with an LDAP directory—without requiring a large-scale migration. It acts as a gateway, natively exposing modern authentication and authorization protocols (OpenID Connect, SAML, OAuth2), centralizing access management, enforcing security policies (MFA, SSO, RBAC), while still relying on your existing LDAP for authentication and account federation.

How to Integrate LDAP with Keycloak

To successfully integrate LDAP with Keycloak, it’s essential to prepare your infrastructure in advance and minimize potential downtime for your users.

1. Inventory and Map Your Existing LDAP Directory
The first critical step is to understand your directory’s structure and contents. You need to identify where users and groups are located, which attributes are in use, and whether there are any custom configurations. This mapping also helps uncover all applications and services that rely on the LDAP for authentication or access control. Without this detailed understanding, integration attempts may lead to service disruptions or identity management inconsistencies.

2. Define a Synchronization Strategy
Once your directory is mapped, the next step is to decide how identities will sync between LDAP and Keycloak. There are two main approaches: full synchronization, where all user data is imported into Keycloak; and just-in-time (JIT) synchronization, where accounts are created on first login. The right strategy depends on your user volume and performance constraints.

3. Plan for Risk Management and Change Management
LDAP integration with Keycloak is a cross-functional project that touches many teams. Proactively managing risk and leading the change is crucial. That includes building a rollback plan in case of incidents, communicating clearly with IT and end users, and training administrators on new tools and processes. Human and organizational readiness is just as important as technical preparedness to ensure project success.

These three preliminary steps lay the groundwork for a smooth LDAP integration with Keycloak. Afterward, the focus shifts to more technical aspects: LDAP provider configuration, securing connections (TLS/LDAPS), attribute mapping, group and role management, performance tuning, error handling, password policies, log and audit management, and monitoring setup.

TL;DR
You don’t need to replace your LDAP. Instead, integrate it with Keycloak to gain modern IAM features like SSO, MFA, and contextual access control—without rebuilding your identity infrastructure.

When Your Login Page Becomes the Frontline: Lessons from a Real-World enumeration attack

Cloud-IAM — Mon, 12 May 2025 16:16:01 +0000

As an IAM SaaS company, our work often remains in the shadows—until something goes wrong. Today, I want to shed light on how we handle security at the very first layer all IAM systems have: the login page. Specifically, I’ll walk you through an incident we managed at Cloud-IAM, where we provide a managed Keycloak solution, and share some insights on securing authentication systems against evolving enumeration attack threats.

The Challenge: IAM Security Beyond MAUs

Many of our clients are tech enthusiasts and small companies that want to avoid the complexity of configuring and maintaining Keycloak. Our larger clients, on the other hand, demand resilience. However, resilience is often measured in terms of Monthly Active Users (MAUs), without fully considering the exposure of their service.

For example, take two hypothetical companies:

Company A: A SaaS for plant analysis with a high number of MAUs.
Company B: An IoT platform managing security cameras.

Despite Company A having more MAUs, Company B is likely more exposed to attacks because of the nature of its infrastructure. This exposure factor is rarely accounted for but plays a critical role in IAM security.

Attacks Are Inevitable—So We Adapt

Attackers exploit the same logic and processes as normal users, making them difficult to detect. The more information they have, the better they can impersonate real users and bypass detection systems. Many companies rely on Load balancer rate limiting or Low Level Firewall, both of which are great initial defenses. However, attackers have evolved beyond these measures.

At Cloud-IAM, we take a multi-layered approach to attack mitigation:

Advanced web server filtering & logging for future learning.
IP packet filtering for early-stage attack mitigation.
Dynamic rule assignment based on specific client domains.
Web Application Firewall (WAF) protection.
AI-driven rule detection (in progress) to automate and optimize security rules based on real-time threats.

Case Study: The Month-Long Attack on a Cloud-IAM

All our clients operate with two distinct lifecycles:

The client product lifecycle (e.g., how a service integrates with IAM for authentication and security).
The IAM product lifecycle (e.g., updates, fixes, security patches, and infrastructure resilience).

One of our clients, a widely used SaaS platform, regularly experiences DDoS attacks due to its high exposure and millions of MAUs. In this particular case, the client had a specific IP restriction policy that influenced how the attack unfolded.

A major challenge for this client is that they demand to scale up their infrastructure in advance to handle high user loads efficiently. This means they anticipate peak demand and adjust their infrastructure capacity before the load arrives. For instance, before major events like an SSO update, they anticipate and prepare for 1 million users reconnecting within a short window. While this improves user experience, it also complicates attack detection, as malicious traffic can blend with legitimate user activity, making it significantly harder to distinguish between normal behavior and an attack.

This operational complexity required a highly tailored security response.

The incident: A Stealthy, Persistent Enumeration Attack

Phase 1: The First Sign of Trouble

In early January, we identified a misconfiguration in Keycloak, which revealed inefficiencies in how our system handled enumeration attempts.
Attackers exploited this, sending requests at a rate that overwhelmed the connection pool, preventing new connections from being established.
Our systems detected the issue before it had any impact on the client, allowing us to intervene proactively.
We patched the situation before it escalated into a total deadlock, ensuring system stability.
Within 24 hours, we deployed a fix to prevent this specific vulnerability from being exploited again.

Phase 2: The Quiet Defense

Following the initial issue, attackers ramped up their efforts, generating over 8,000 connections per minute.
Our system automatically detected and banned these low-level attempts, preventing any significant impact.
No manual intervention was required, as the automated bans effectively mitigated this phase of the attack.

Phase 3: The Storm Grows

Two weeks later, the attack escalated, becoming 3x bigger and lasting 100x longer than the previous phase.
The attack reached 2,500 authentication attempts per minute, a decrease compared to the previous phase, but sustained over 12 hours.
Despite the prolonged nature of the attack, our monitoring systems detected the pattern early, allowing us to take swift action.
No manual intervention was required, as the automated bans effectively mitigated this phase of the attack.

What Made This Attack Unique?

Analyzing the attackers' strategy, we observed a shift in their approach across phases. Initially, in Phase 1, they experimented with limited but targeted attempts. In Phase 2, they believed that overwhelming the system with a high number of requests (8,000 per minute) would break through defenses. However, this only led to rapid bans.

By Phase 3, they changed their strategy, opting for a prolonged attack rather than an intense burst. Even though the request rate dropped to 2,500 per minute, the total number of requests in this phase was significantly higher due to the 12-hour sustained attack.

This shift is evident in the following visualizations:

Request Rates During DDoS Attack Phases (top): Showing how each phase varied in request rates.
Total Requests During DDoS Attack Phases (bottom): Demonstrating how the last phase, despite lower request intensity, was far more impactful in sheer volume.

How We Handled It

Learn: Our monitoring stack signaled an anomaly.
Detect: We identified the attack as an enumeration attempt.
Block: A traditional Low Level Firewall approach wouldn’t work due to the rapid IP rotation, so we had to analyze the context in real time.
Enable: We empowered both our team and our client with insights to respond proactively.
Share: We documented our findings internally and externally (hence, this article!).

What’s Next? AI-Powered Defense

Our goal isn’t to become a full-fledged Security Information and Event Management (SIEM) system, but to integrate smarter protections. We’re currently developing an AI-driven tool that dynamically adjusts security rules based on user prompts, allowing for:

Faster detection of attack patterns.
Automated responses tailored to specific client needs.
Better protection without unnecessary blocking of legitimate users.

Final Thoughts

IAM security isn’t just about stopping attackers—it’s about learning, adapting, and empowering. The attack we faced in January reinforced that traditional defenses aren’t enough. A layered, context-aware approach is critical for modern IAM systems, especially in high-exposure environments.

At Cloud-IAM, we take pride in our resilience, but security is an ever-evolving challenge. We continuously refine our defenses, learning step by step from every incident. There is always room for improvement, and we remain humble in our commitment to staying ahead of emerging threats.
If you believe there are areas where we can improve or if you want to strengthen your own system’s security, don’t hesitate to reach out. We’re always open to collaboration and new insights.

If you manage an IAM service, consider: How well are you protecting your login page?