Choose user federation on login


I‘m looking for a best practice for my use case. Maybe anyone here had the same usecase and can share knowledge.

I have two user federations in one realm (different active directories). Because both are completely independent, in occurs that the same username is used. In Microsoft Applications you can use something like “ad1\ttestuser” and “ad2\ttestuser”.

Is there a way I can configure Keycloak to choose the user federation on login? A solution would be to add a prefix to the username in the mapper but there is no way to do it. I also could use different realms but this would result in a lot redundancies.

Thank you in advance :slight_smile:

Usernames must be unique over all user sources, see also - last paragraph “When a Storage Provider lookup fails…”

Ok, thanks. On Stackoverflow, I got a good hint how to solve my problem: authentication - Keycloak same username in multiple federations - Stack Overflow

Keep in mind that such a cross realm identity brokering doubles resource usage. A user who authenticates, will have 2 sessions, 1 in the originating realm, 1 in brokering realm, thus the memory allocation will be doubled.