Use Keycloak to "merge" the user attributes from multiple sources of a single Identity

[Lun Zi]

Hi Keycloak Community,

Is there a recommended way to retrieve the attributes for a user from multiple Federation Providers and store them in Keycloak? This way, Keycloak "merges" the different representations of that user from multiple user repositories and provides a single instance of that user to Keycloak clients.

For example, I want to use the LDAP federation provider to sync users from Active Directory and augment the users in Keycloak with attributes that are stored in the legacy user database. The JWT's minted by Keycloak would then contain attributes from LDAP and some from the legacy user database.

Thank you for your help!

[Jonathan Meyler]

To the best of my understanding, you are limited by what your user storage / federation provider (plugin) supports.
The LDAP provider only supports a single LDAP/Active Directory and doesn't understand other sources of data.

To solve this, you can develop a custom user storage provider that handles multiple sources and the merging of the data, or use a purpose-built tool like Midpoint or Apache Syncope to monitor your multiple sources of user data (LDAP/AD, database, CSV...), and push the aggregate user record into Keycloak.