Advice: One realm - Two User Federations Providers


Greetings from Argentina! I’m sorry about my english level, i would try to explain and be very clear with this issue i’m having.

I have an instance of Keycloak running with only one realm (Want to keep it that way), with different clients created and two user federation providers configured (DB2 for IBMi and LDAP for On premise AD).

DB2 is configured to have the higher priority. LDAP lowest.

We have created clients for a great number of APIs, front and back-end applications.

We have done some testing and test users can be autheticated by having a token assigned.

The problem i’m having is the following:

To search the users, some of the applications should go to DB2 and some should go to AD.

With the current configuration, it will search first in the DB2-IBMi database and, if not there, will go to the LDAP-AD database.

But how could i configure each client to have, for example:

client-app-ad -> LDAP Priority: 0 || DB2 Priority: 1
client-app-ibm -> DB2 Priority: 0 || LDAP Priority: 1

The reason of that configuration is because i have users with the same id (Same employee) in both repositories (DB2+LDAP), but some applications should go first to DB2 and other applications should go first to LDAP.

Credentials are not synced between DB2-IBM and LDAP-AD.

Two realms should fixed this BUT, we have a great number of APIs configured inside Keycloak, and different applications (DB2 or LDAP repository) calls the same APIs.

If we create two realms, one for DB2 and one for LDAP, we should also add the same APIs in both realms, as the tokens can’t be used between realms. Also, these would bring more configuration issues as the API Managers should configure each API to attend both realms, both repositories, don’t think it will work.

Does anybody had these same issue? How could i fix it?

Thank you very much for your help!


This problem was fixed by having DB2 users log in with their user-id, and LDAP users log in with their mail.