Login with linked account and map to LDAP user

[Will Furnell]

Hello,

I'd like to be able to do the following with Keycloak - but I'm a bit stuck on the mapping stage and was wondering if anyone had any suggestions on how to achieve it please?

prerequisite: Keycloak is configured with an LDAP user federation to import accounts (but these accounts do NOT have passwords, so users cannot log into them directly), and an OpenID Connect IdP for login.

1. User logs in via the OpenIDC provider

2. Users OpenIDC login (linked account) is linked/bound/mapped to an existing LDAP user. We assume there is something in LDAP (either their email or sub or similar) that can be used to make sure that the user login in via an IdP is the same one in LDAP.

3. User is able to login with their identity provider, but their account username, details etc. are actually from LDAP

Is something like this possible please?
Thank you!

Will.

[Sven-Torben Janus]

Hello Will,

the default First Broker Login flow should support this out of the box, if I am not mistaken.

If a user's email address within your LDAP is identical to the one retrieved from the IdP, Keycloak should execute the "Handle Existing Account" sub-flow. You may then want to verify the existing account by email instead of re-authentication.

Best regards

Sven-Torben

[Will Furnell]

Thank you! I'll give this a try,

Will.