Hello Keycloak Community,
I’m currently working with Keycloak and facing a challenge that I believe some of you might have encountered. I have a situation where I need to switch a specific user from one User Federation provider to another within Keycloak, without impacting other users linked to the same federation provider.
Context:
- I have two User Federation providers set up in Keycloak: let’s call them
providerA
andproviderB
. - There is a user, say
usernameOne
, who is currently linked toproviderA
. - My goal is to switch
usernameOne
fromproviderA
toproviderB
.
Challenge: The common solution seems to be using the “Unlink users” feature under User Federation for providerA
. However, this approach unlinks all users associated with providerA
, which is not feasible in my case as I need to change the federation link for only usernameOne
.
What I’ve Tried:
- I’ve considered the suggestion of using the “Custom User LDAP Filter” for
providerA
to limit it tousernameOne
and then unlink. However, I’m concerned about the potential risks or unintended consequences of this method. - Directly interacting with the LDAP server is an option, but I’m looking for a solution that can be managed within Keycloak’s environment.
Questions:
- Has anyone successfully switched a single user between federation providers in Keycloak without affecting other users? If so, how did you achieve this?
- Are there any best practices or precautions to consider when using the “Custom User LDAP Filter” for such a purpose?
- Is there an alternative approach within Keycloak that I might have overlooked?
Any insights, suggestions, or shared experiences would be greatly appreciated. I’m looking for a solution that is both effective and minimizes the risk of disrupting other users.
Thank you in advance for your help!