domino logo
Latest (5.8)
  • About Domino
  • Architecture
  • Domino infrastructure
  • Kubernetes infrastructure
  • Installation
  • Configuration reference
  • Security and compliance
  • Authentication and authorization
  • Projects
  • Data Planes
  • Manage data
  • Models
  • Environments
  • Monitoring
  • Audits and logs
  • Control Center
  • Notifications
  • Manage costs
  • Disaster recovery
  • Backup and restore
  • Troubleshooting
  • Get help
  • Run the admin toolkit
  • MongoDB console
  • Send feedback
domino logo
About Domino
Domino Data LabKnowledge BaseData Science BlogTraining
>
Admin guide
>
User authentication and authorization
>
Set up Keycloak authentication services
>
LDAP / AD federation

LDAP / AD federation

When you choose federated authentication, Keycloak connects to the provider and caches user information.

Add a provider

  1. In the Keycloak console, go to the User Federation menu.

  2. Click Add provider…​ > LDAP.

    See the official Keycloak documentation for full details about user storage federation.

    If you migrate from an older Domino version, use your ldap.conf from the Domino front end to see what inputs to use for the provider settings.

    Some of these inputs include:

    ldap.conf nameKeycloak user federation setting name

    Search principal

    Bind DN

    Search base

    Users DN

    Search filter

    Additional Filtering

Configure mappers

Review the LDAP mapper associated with your provider. You must make sure that there are LDAP mappers for the following attributes:

  • username

  • firstName

  • lastName

  • email

For more details, read the official Keycloak documentation on LDAP mappers.

Group and Role Synchronization

You can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider. Please note that the Keycloak user attributes cannot be set directly from LDAP group memberships, there have to be corresponding attributes in LDAP.

  1. Use an LDAP mapper to import user attributes to Keycloak.

  2. Follow the steps in Synchronize SSO Group and Role related to Client Mappers to map from Keycloak to Domino.

Note

Next steps

  • Set up Keycloak

  • Brokered Authentication through Single-Sign-On (SSO)

  • Limit concurrent user sessions

Domino Data Lab
Knowledge Base
Data Science Blog
Training
Copyright © 2023 Domino Data Lab. All rights reserved.