Active Directory (AD) Federation

Requirements 

 

 Keycloak 26.X installation 

 Active Directory Domain Controller with Port 389/636 available 

 Active Directory User with Directory Search Permissions and configured Password (non-interactive Service Accounts will not work) 

 

 Setup 

 

 Log into Keycloak, go to User federation 

 Click Add new provider and select LDAP from the Dropdown Menu 

 Configure a UI display name and set Vendor to Active Directory 

 Apply the following Settings 

 

 

 Connection Url: (ldap|ldaps)://<ip>:(389|636) 

 Enable StartTLS Off / On based on your Setup 

 Use Truststore SPI Always 

 Connection pooling On 

 Bind type to simple 

 Bind DN to your Active Directory User DN (example: CN=Ldap Bind,OU=Service Accounts,DC=example,DC=local ) 

 Bind credentials to your Active Directory User Password 

 

   

 

 Edit mode READ_ONLY for Federation only or WRITEABLE for 2-way sync 

 User DN to the base DN of your AD Structure (example: cn=users,dc=example,dc=local ) 

 Username LDAP attribute to sAMAccountName 

 User object classes to person, organizationalPerson, user 

 User LDAP Filter to (&(objectClass=person)(mail=*)) if you want to require a configured Mail Address. Good for allowing only real Accounts 

 Search Scope to Subtree for recursive searches or otherweise One Level 

 

 Synchronization Settings based on your desire.