Document toolboxDocument toolbox

LDAP Support

Introduction

LDAP connection can be added as a user federation directly in the customer realm or a separate realm can be added and then this realm can be used by multiple customer realms.

In general, a direct user federation on main application realm is not recommended as users in that case are tightly coupled with the LDAP provider. 

When a user is removed from LDAP it would also be removed from realm and could cause inconsistent state. 

 

A use case with LDAP connected as separate realm is described below.

Configure Realm to be used for LDAP

In your instance, create a new Realm that will be used with LDAP Federation. 

Add Identity Provider - type LDAP

In the User Federation section, add new LDAP provider. Fill in all required settings for LDAP connection. 

These settings are different depending on LDAP type. You can use predefined settings for Active Directory or Linux based systems like Open LDAP.

Test the connection and authentication. You can also import used and groups from LDAP in order to make sure that the mappings and parameters are set correctly.

Users on that list will be an intermediate step. They will not be directly used to log in to the application.

These users must now be linked via OpenID protocol to application users in your main application realm. Identity provider links will be created for all users that successfully login. 

Setup LDAP mappers

Example of LDAP mappers, depending on your use case and LDAP configuration:

Sample Full name mapper:

Sample groups mapper:

Add LDAP realm to selected client realm

You can In your main application realm, connect your newly created LDAP realm as an Identity Provider. 

In your LDAP realm setup a Client for your main application Realm:

  • Go to Clients

  • Create Client - OpenID Connect

  • set ID (any unique name, do not use special characters, white space etc), set name to e.g. FM ACCESS

  • Select only Standard Flow (Authentication Flow) 

  • Select Backchannel logout session required to ON

  • Set home URL to your main application URL (e.g. https://fma.bim.cloud)

Add group mapper scope 

In the client - Client Scopes - please add scope for emitting groups: 

Link LDAP realm to application realm

Go to Identity Providers, select Add Provider and select KeyCloak OpenID Connect. Use a discovery endpoint copied from your LDAP realm client added above.

 

Add group mappings

By selecting your LDAP Realm, and then Identity Providers and Mappers

Note that Claim must be set to userLdapGroups and mapper type Claim to Role. 

Known Issues

If you're having issues with refreshing data for groups memberships, it is recommended to disable LDAP cache by setting Cache policy (in LDAP realm, under user federation settings). Set this value to NO_CACHE