Many companies have existing user databases that hold information about users and their passwords or other credentials. In many cases【多数情况下】, it is just not possible to migrate【迁移】 off of those existing stores to a pure Keycloak deployment. Keycloak can federate existing external user databases. Out of the box we have support for LDAP and Active Directory. You can also code your own extension for any custom user databases you might have using our User Storage SPI.
The way it works is that when a user logs in, Keycloak will look into its own internal user store to find the user. If it can’t find it there it will iterate over every User Storage provider you have configured for the realm until it finds a match. Data from the external store is mapped into a common user model that is consumed by the Keycloak runtime. This common user model can then be mapped to OIDC token claims and SAML assertion attributes.
示例:
以管理员身份登录keycloak,选择要操作的Realm,点击菜单【User Federation】,进入User Federation 管理页面。
Add Provider,选择ldap,填写相关信息:
参数说明:
Users DN: LDAP 树节点,如:“DC=home,DC=company,DC=com”,用户登录时,只匹配该节点下的用户。
Search Scope: 可选项:One Level 和 Subtree
One Level 表示只匹配Users DN节点下的直属用户。
Subtree 表示匹配Users DN节点的所有下属用户(含子节点直至叶子节点)。
填写完信息后,点击Save,完成 User Federation的新建。
User Federation的新建完成后,就可以使用User Federation的账号登录keycloak了。
更多内容参见keycloak官方文档:
http://www.keycloak.org/docs/latest/server_admin/index.html#_user-storage-federation