(sv) LDAP Support
Translation needed
The content of this page was copied from another page tree and needs to be translated or updated.
When you finish translation, make sure to
-
Replace the label NEEDS-TRANSLATING with TRANSLATED
-
Remove this macro from the page
Introduction
LDAP connection can be added as a user federation directly in the customer realm or a separate realm can be added and then this realm can be used by multiple customer realms.
In general, a direct user federation on main application realm is not recommended as users in that case are tightly coupled with the LDAP provider.
When a user is removed from LDAP it would also be removed from realm and could cause inconsistent state.
A use case with LDAP connected as separate realm is described below.
Configure Realm to be used for LDAP
In your instance, create a new Realm that will be used with LDAP Federation.
Add Identity Provider - type LDAP
In the User Federation section, add new LDAP provider. Fill in all required settings for LDAP connection.
These settings are different depending on LDAP type. You can use predefined settings for Active Directory or Linux based systems like Open LDAP.
Test the connection and authentication. You can also import used and groups from LDAP in order to make sure that the mappings and parameters are set correctly.
Users on that list will be an intermediate step. They will not be directly used to log in to the application.
These users must now be linked via OpenID protocol to application users in your main application realm. Identity provider links will be created for all users that successfully login.
Setup LDAP mappers
Example of LDAP mappers, depending on your use case and LDAP configuration:
Sample Full name mapper:
Sample groups mapper:
Add LDAP realm to selected client realm
You can In your main application realm, connect your newly created LDAP realm as an Identity Provider.
In your LDAP realm setup a Client for your main application Realm:
Go to Clients
Create Client - OpenID Connect
set ID (any unique name, do not use special characters, white space etc), set name to e.g. FM ACCESS
Select only Standard Flow (Authentication Flow)
Select Backchannel logout session required to ON
Set home URL to your main application URL (e.g. https://fma.bim.cloud)
Add group mapper scope
In the client - Client Scopes - please add scope for emitting groups:
Link LDAP realm to application realm
Go to Identity Providers, select Add Provider and select KeyCloak OpenID Connect. Use a discovery endpoint copied from your LDAP realm client added above.
Add group mappings
By selecting your LDAP Realm, and then Identity Providers and Mappers
Note that Claim must be set to userLdapGroups and mapper type Claim to Role.
Known Issues
If you're having issues with refreshing data for groups memberships, it is recommended to disable LDAP cache by setting Cache policy (in LDAP realm, under user federation settings). Set this value to NO_CACHE