PlatformProduct updates

Keycloak User Federation Configuration (LDAP/AD)

There are various authentication protocols that can be used depending on use case. This guide outlines the steps to configure User Federation in Keycloak.

  1. To authorize users for the GetVisiblity dashboard (not Keycloak itself), ensure that the gv realm selected in the top left, not master (unless the aim is to authorize LDAP users to use Keycloak):

  1. Click on the User Federation menu item on the left pane. This should load a list of configured user federations (none at first).

  1. Click on Add Ldap providers to load the LDAP (Lightweight Directory Access Protocol) configuration

  1. Update the Connection URL field to reflect the LDAP server address where the Active Directory is hosted

  1. Click on the button Test connection to test the connection from the Keycloak instance to the LDAP server address. This should succeed quickly. If it hangs, the LDAP server (i.e. a domain controller) may be blocking connections from the Keycloak server address (i.e. the IP of the server running the GetVisibility product). The Public IP address of the LDAP server may need to be used.

  1. Update the Bind DN field to reflect the user used to access the LDAP server. In this case, the user with username “admin” from the domain “domain.com”.

For Active Directory, the value for the Bind DN field could be [email protected].

  1. Update the Bind credentials field (see the above image) to contain the password used to access the LDAP server

  2. Click “Test authentication” to confirm that the provided credentials work as expected:

  1. Update the Users DN field to contain the Full DN of the LDAP tree where your users are.

The above value for the “Users DN” field will import all users to the gv realm. All users within the “domain.com” domain will get full administrative access for the GetVisiblity dashboard.

If this is not desired, make restrictions to which users are imported. Often, just restricting by OU is not granular enough.

In this scenario, use standard LDAP query in the User LDAP filter field, like so: (memberOf=cn=My Group,dc=domain,dc=com)

Combining (“AND”) with other criteria: (&(theAttribute=theValue)(memberOf=cn=My Group,dc=domain,dc=com))

For AD Server federation, some may prefer to configure the Username LDAP attribute as sAMAccountName or userPrincipalName. See User Naming Attributes - Win32 apps and Active Directory LDAP Field Mappings.

Optional Steps

  1. Within Synchronization settings, set up automatic synchronization of users from the LDAP Active Directory to Keycloak. Here the auto-synchronisation settings can be configured.

  1. Click the Save button at the bottom of the screen.

Synchronizing the Users to Keycloak DB

To get the users into the Keycloak DB, the users need to to be synchronised for the first time (before the automatic synchronization happens, if applicable).

Click the button Synchronize all users to immediately fetch all of the LDAP Active Directory users and load them into the Keycloak instance DB

Synchronizing all users may take some time.

Troubleshooting Keycloak LDAP integration

Usually, any issues that occur during the LDAP Active Directory configuration process above will be related to Network accessibility concerns or authentication credentials being incorrect.

However, if additional support is needed or the problem is not easily resolved by troubleshooting Network communications and authentication details, please reach out to Support.

PreviousUsing Azure AD as Keycloak Identity ProviderNextEnable 2FA

Last updated

Was this helpful?