Keycloak User Federation Configuration (LDAP/AD)
There are various authentication protocols that can be used depending on use case. This guide outlines the steps to configure User Federation in Keycloak.
Last updated
Was this helpful?
There are various authentication protocols that can be used depending on use case. This guide outlines the steps to configure User Federation in Keycloak.
Last updated
Was this helpful?
To authorize users for the GetVisiblity dashboard (not Keycloak itself), ensure that the gv realm selected in the top left, not master (unless the aim is to authorize LDAP users to use Keycloak):
Click on the User Federation menu item on the left pane. This should load a list of configured user federations (none at first).
Click on Add Ldap providers to load the LDAP (Lightweight Directory Access Protocol) configuration
Update the Connection URL field to reflect the LDAP server address where the Active Directory is hosted
Click on the button Test connection to test the connection from the Keycloak instance to the LDAP server address. This should succeed quickly. If it hangs, the LDAP server (i.e. a domain controller) may be blocking connections from the Keycloak server address (i.e. the IP of the server running the GetVisibility product). The Public IP address of the LDAP server may need to be used.
Update the Bind credentials field (see the above image) to contain the password used to access the LDAP server
Click “Test authentication” to confirm that the provided credentials work as expected:
Update the Users DN field to contain the Full DN of the LDAP tree where your users are.
If this is not desired, make restrictions to which users are imported. Often, just restricting by OU is not granular enough.
Combining (“AND”) with other criteria: (&(theAttribute=theValue)(memberOf=cn=My Group,dc=domain,dc=com))
Within Synchronization settings, set up automatic synchronization of users from the LDAP Active Directory to Keycloak. Here the auto-synchronisation settings can be configured.
Click the Save button at the bottom of the screen.
To get the users into the Keycloak DB, the users need to to be synchronised for the first time (before the automatic synchronization happens, if applicable).
Click the button Synchronize all users to immediately fetch all of the LDAP Active Directory users and load them into the Keycloak instance DB
Usually, any issues that occur during the LDAP Active Directory configuration process above will be related to Network accessibility concerns or authentication credentials being incorrect.
Update the Bind DN field to reflect the user used to access the LDAP server. In this case, the user with username “admin” from the domain “”.
The above value for the “Users DN” field will import all users to the gv realm. All users within the “” domain will get full administrative access for the GetVisiblity dashboard.
In this scenario, use in the User LDAP filter field, like so: (memberOf=cn=My Group,dc=domain,dc=com)
For AD Server federation, some may prefer to configure the Username LDAP attribute as sAMAccountName or userPrincipalName. See and .
However, if additional support is needed or the problem is not easily resolved by troubleshooting Network communications and authentication details, please reach out to .
