Link existing account to federation provider

Configuring the server
1

I’m currently trying to figure out whether user federation is suitable for my use case.

It looks like this:

Users can freely register and should only be stored in the keycloak database.
There is an initial set of users which should be imported from ldap and synchronized into groups if necessary.

Now it can happen that an existing (registred) account is added to ldap or at some point removed from ldap.
In these cases the group mappings should be updated accordingly but the user in keycloak should not be deleted.

In a small test I tried to register a user first and then enable ldap synchronization (with and intended collision), which yields the following error:

User with ID '00a8c928-97be-1037-9a8e-e5c6150c1234' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider 'ldap'

In theory this fits my use case as users should not be simply synchronized by nickname. However, is there a way to later link it to the federation provider?
Setting the LDAP_ID or LDAP_ENTRY_DN manually is rejected as these attributes are internal.

2

Hi, I don’t know if this is exactly what you need but if you click on your user you should have the indentity provider link like this.

image
image1056×273 18.5 KB

3

Thank you for the response. That seems like the functionality I’m looking for, but I don’t have that tab. Probablly because it is for identity brokering but not user federation.

So probably I’ll have to revert to scripting or having another keycloak in front of the ldap.

4

@ThoreKr did you figure out how to do this?

5

LDAP_ID, LDAP_ENTRY_DN, createTimestamp, and modifyTimestamp are read only attributes that you cannot added through the web interface. You cannot delete them either. As long as an ldap federation is enabled they will be present on accounts imported from ldap or created in keycloak and added to ldap. To remove them you have to delete them from the table in your database or delete the user.

It is possible to link an existing keycloak user to an ldap user object. You have to add the LDAP_ID, LDAP_ENTRY_DN, createTimestamp, and modifyTimestamp attributes to the user_attribute table and update the federation_link column on the users record in the user_entity table in the keycloak database. You will have to modify the database with a scripting language and appropriate library for your database. Once they are present the associated keycloak user will have a federation link on their details page.

Federation Link SQL
UPDATE user_entity
SET federation_link = ‘[LDAP_UUID]’ WHERE id = ‘[USER_UUID]’;

Federation Attributes SQL
INSERT INTO
user_attribute (name, value, user_id, id)
VALUES
(‘LDAP_ID’, ‘[LDAP_USER_GUID]’, ‘[KEYCLOAK_USER_ID]’, ‘[RANDOM_UUID]’),
(‘LDAP_ENTRY_DN’, ‘[LDAP_USER_DN]’, ‘[KEYCLOAK_USER_ID]’, ‘[RANDOM_UUID]’),
(‘createTimestamp’, ‘[LDAP_USER_CREATED]’, ‘[KEYCLOAK_USER_ID]’, ‘[RANDOM_UUID]’),
(‘modifyTimestamp’, ‘[LDAP_USER_MODIFIED]’, ‘[KEYCLOAK_USER_ID]’, ‘[RANDOM_UUID]’);

[LDAP_USER_GUID] = the uuid for the object in ldap, in AD it is objectGUID.
[KEYCLOAK_USER_ID] = the uuid of the keycloak user, the ID attribute
[LDAP_USER_DN] = distinguishedName attribute of the object in ldap
[LDAP_USER_CREATED] = the created timestamp for the object in ldap. In AD it is whenCreated
[LDAP_USER_MODIFIED] = the modified timestamp for the object in ldap. In AD it is whenModified
[RANDOM_UUID] = randomly generated uuid. Needs to be provided as the column will not generate its own value, at least in postgresql it won’t.