« Previous 1 2
Single sign-on with Keycloak
Master of the Keys
Synchronize with LDAP
The Mappers tab lets you map individual LDAP attributes to Keycloak attributes. To the default mappers, you can add others by pressing the Create button. You will need to create a group-ldap-mapper if you want to map LDAP user groups to user groups in Keycloak. Once set up, Keycloak will do the group mapping for you, just as in LDAP.
In Settings again, select the Synchronize all users button at the bottom. Remember that if you have a large directory, you will have to wait a few moments until all users have been imported. If no users are imported for you, check the attribute settings. If this does not help, check the User Object Classes . Only entries with these classes will be imported. As soon as the users are loaded from LDAP, you will receive a message (Figure 1). You can see how many users have been synchronized and how many failed to import.
Now you can check the imported users in the Users menu item. You will notice that all your users have been assigned another internal Keycloak ID. If you have imported a large number of users, you can use the Search box for a quick search. The Impersonate button lets you log in directly as a specific user.
Test Login
If you have a user account in LDAP, test logging in by trying to log in to the Administration Console. If the login works, you will see a message stating that the access is Forbidden for this user. This information is all you need to test the basic functionality. Now click on your username in the upper right corner to enter the user menu, which takes you to an overview of the applications and active sessions in use.
If you want to use a second factor for login (e.g., Google Authenticator), you can set it up in Authentication . There, grab a shot of the QR code with the smartphone app, enter the currently generated code, and, for the sake of clarity, assign a name to the device you are using. Make sure that the times shown by your server and your device are not too far apart. If you want stricter time tolerance, you can configure this in the Administration Console under Authentication | OTP Policy . Adjust the value for the Look Ahead Window to suit your requirements.
Conclusions
In this article, you got to know Keycloak as the central switchboard for your single sign-on. The test installation is already usable for synchronizing LDAP users and connecting applications. Beyond what is shown here, you will find many more options for configuring identity management in your organization. For example, you can also configure passwordless login with WebAuthn (FIDO2) for your users.
Infos
- Keycloak: https://www.keycloak.org
- Keycloak containers: https://github.com/keycloak/keycloak-containers/
- Container documentation: https://github.com/keycloak/keycloak-containers/blob/11.0.0/server/README.md
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.