I'm using Keycloak and just setup some OpenLDAP. Importing from LDAP to Keycloak works fine. Even new registrations and updates to users are synced nicely. But I can't find any way to:
a) Export existing Keycloak users to LDAP
b) Linking existing Keycloak users to existing LDAP users
when users already exist in Keycloak, during import I get the following error:
23:56:39,507 WARN
[org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-22) User 'foo' is not updated during sync as he already exists in
Keycloak database but is not linked to federation provider 'ldap'
Any Ideas? Did I missed something obvious?
To send users to LDAP please try to use options "Edit mode: Writable" and "Sync Registrations: ON" on ldap configuration page in Keycloak (User Federation->Ldap).
Related
I am trying to set up SSO between two Keycloaks. The target Keycloak, where I want to configure the SSO has user federation set up in place and the user management is disabled. I was thinking of configuring IdP brokering between my source Keycloak and the target Keycloak so that I can use the same authentication token.
I have configured login redirection and when I try to login to the target system, I was promptly redirected to the source Keycloak. Unfortunately, upon entering the username and password, I was presented with a dialog box stating that my user already exists and offering me to either Review the profile or Add to existing profile.
Initially, I thought it is because the user modification is disabled by the user federation. I have manually created the same username on the system, which is providing a list of the users but even with this in place, I am still unable to log in and am presented with exactly the same error message.
Is there any way to restrict the access to the keycloak admin console at the level of groups or user roles? The way of restriction by ip (and undertow filter to block external access), unfortunately, does not quite suit me. I will be very grateful for any advice!
I tried to create roles for security-admin-console and realm-management clients, but it didn't work, all the users still have access to admin console.
It turned out, that the problem was because of realms' default groups. I checked them out and there was admin role by default in all the realms' default groups. For this reason, all imported from a third-party idp users had the admin role by default and had access to the admin console.
I'm trying to enable additional authentication methods to Tableau Online by adding Keycloak as IDP (SAML). I followed the following steps
Export metadata from Tableau Online
Created a user in keycloak with the same username as the username found in Tableau
Created a Realm and Client on Keycloak and imported MetaData exported from Tableau Online
Added Mapping in Tableau Client with "User Attribute" "username"
Exported metadata from Keycloak and inserted it in Tableau Online
When I try to test the connection, it redirects correctly to the Keycloak login page but after trying to log in and keycloak authenticates me, it redirects me back to Tableau online login page with an error: (Your account or password is incorrect)
Any idea why this might be happening?
I have configured OpenLDAP with my keycloak, so that user management is taken care by LDAP. I have successfully sync the users from LDAP and I can see the user details in my List of users in Keycloak.I am using master realm only.
But when I try to generate token giving admin-cli client it gives this error.
Even the Authorization code flow it doesn't work.Tried to log in via keycloak UI it gives Invalid Credentials.
How can we use LDAP users for authentication in Keycloak ?
I configured LDAP as User Federation (with role-ldap-mapper) and successfully imported users with their roles to Keycloak.
When I go to Users->{user}->Role Mappings I see every roles that are signed to a user (imported from LDAP), but when I go to Roles->{role}->Users In Role I see nothing.
Is it a bug or a feature? Or maybe I configure something wrong?
Users roles
Empty Users in Roles
LDPA Role mapper configuration
I faced the same issue. I changed the Mode (inside LDAP role mapper) to Import instead of READ_ONLY and I was able to see users under a role.
Please create mapper of type msad-lds-user-account-control-mapper.
It works for me.