How to configure redundant federation providers?

We an Active Directory server in our local network as federation provider in Keycloak. Unfortunately the setup of a provider can only have a single server address. Our local network has several AD servers to provide redundancy for the Windows workstations. Now if that single AD host goes down (maint, update, reboot,…) the users can’t login through Keycloak.
I wonder how to gain the full redundancy of at least having two AD servers configured in Keycloak and in a way Keycloak will seamlessly use another one if the currently used one fails.

I don’t believe there is a way to do this in Keycloak. According to the documentation, when a federation provider lookup fails, it does not fail over to the next one in the priority list.

The reason why Keycloak does not fail over if a Storage Provider lookup fails is that user databases often have duplicate usernames or duplicate emails between them. This can cause security issues and unforeseen problems as the user may be loaded from one external store when the admin is expecting the user to be loaded from another.


I get your point, but this is different. Especially in the case of a Microsoft Active Directory it is common to have multiple Domain Controllers having all the same (replicated/synced) user database. This is a basic redundancy concept of MSAD and it works pretty good. Therefore nearly every conneciton implementation i know is able to access an AD via several DCs, all giving the SAME answer.

So i really see no risk in using one of those available libraries which are able to distribute requests in a round-robin or failover method.

Right now, if a DCs needs to be rebootet, our whole IAM is out of service, kicking out users meanwhile, which is more than bad and also uneccessary because there are enough working DCs around.

So instead of adding the same domain as separate federations-providers, just add several DCs in one FP entry.

Is that something you’re doing today? Or are you suggesting that as a new feature. If you’re already doing it, can you show us what your configuration looks like? Thanks!

When configuring your user federation, try to set up it with multiple connection url’s, for example:
“ldaps://idm-master:636 ldaps://idm-rep-1:636”

Try to play with it, check if it works as expected.
I’m quite sure I have done something like that with Keycloak 4.8.3, but that was a long time ago, things may got changed since then.

Please, update here your results
I’m sure you are not alone with this type of situation.

And also if it works for you so something is wrong if the documentation says it shouldn’t work as xpg mentioned.

That is how i would like to have it…