About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

LDAP / AD federation

When you choose federated authentication, Keycloak connects to the provider and caches user information.

Add a provider

  1. In the Keycloak console, go to the User Federation menu.

  2. Click Add provider…​ > LDAP.

    See the official Keycloak documentation for full details about user storage federation.

    If you migrate from an older Domino version, use your ldap.conf from the Domino front end to see what inputs to use for the provider settings.

    Some of these inputs include:

    ldap.conf nameKeycloak user federation setting name

    Search principal

    Bind DN

    Search base

    Users DN

    Search filter

    Additional Filtering

Configure mappers

Review the LDAP mapper associated with your provider. You must make sure that there are LDAP mappers for the following attributes:

  • username

  • firstName

  • lastName

  • email

For more details, read the official Keycloak documentation on LDAP mappers.

Group and Role Synchronization

You can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider. Please note that the Keycloak user attributes cannot be set directly from LDAP group memberships, there have to be corresponding attributes in LDAP.

  1. Use an LDAP mapper to import user attributes to Keycloak.

  2. Follow the steps in Synchronize SSO Group and Role related to Client Mappers to map from Keycloak to Domino.

Note

Next steps