Correlating accounts and entitlements stored in different sources?

Hi there. I’m an IAM specialst who’s been tasked with integrating some applications which use Keycloak as federation proxy to AD and AAD with an enterprise IAM service. The accounts aren’t a problem as we can simply connect to the AD source and bypass Keycloak completely, but the applications in question store entitlements seperately from accounts in an instance of OpenLDAP. The IAM service needs to ingest both accounts and entitlements into its master identity record but only allows a single connection per application. In order to acquire both accounts and entitlements and be able to correlate them, we’d need 2 connections (one to AD and one to OpenLDAP).

Normally I’d avoid modifying existing infratructure in any way but this is one of those “whatever it takes” situations. I have considered developing an external service which synchonises account and entitlement data seperately, correlates it, then writes the correlated information into a database. The IAM service could then be configured to use that database as its primary source for application identity data. The problem is, this approach doesn’t necessarily enable the kind of “write back” functionality which the IAM service needs to perform as part of automated provisioning and deprovisioning operations.

Is there any way of acquiring the entitlement data from OpenLDAP, correlating it with the incoming accounts from AD/AAD and storing it in a local database? I’m prepared to modify the target application to use the Keycloak database as its primary IdP if necessary. In other words, the same basic functionality as could be implemented as an external service, just implemented inside Keycloak and with write-back functionity (since Keylcoak will sync account and entitlement data bi-directionally).

Apologies if this doesn’t make sense contextually. This is my first time working with Keycloak and I’m fumbling through my options in this specific use case.