When you choose federated authentication, Keycloak connects to the provider and caches user information.
-
In the Keycloak console, go to User Federation > Add provider… > LDAP.
See the official Keycloak documentation for full details about user storage federation.
If you migrate from an older Domino version, use your
ldap.conf
from the Domino front end to see what inputs to use for the provider settings.Some of these inputs include:
ldap.conf name Keycloak user federation setting name Search principal
Bind DN
Search base
Users DN
Search filter
Additional Filtering
You can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider.
-
Use an LDAP mapper to import user attributes to Keycloak.
-
Follow the steps in Synchronize SSO Group and Role related to Client Mappers to map from Keycloak to Domino.
Note
| Updates to a user’s group or role will not fully synchronize to Domino until the user signs in. |
Review the LDAP mapper associated with your provider. You must make sure that there are LDAP mappers for the following attributes:
-
username
-
firstName
-
lastName
-
email
For more details, read the official Keycloak documentation on LDAP mappers.
Group and Role Synchronization
You can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider. Please note that the Keycloak user attributes cannot be set directly from LDAP group memberships, there have to be corresponding attributes in LDAP.
-
Use an LDAP mapper to import user attributes to Keycloak.
-
Follow the steps in Synchronize SSO Group and Role related to Client Mappers to map from Keycloak to Domino.
Note
| Updates to a user’s group or role will not fully synchronize to Domino until the user signs in. |