User federation cascading mechanism

Daniel Chirca

unread,

Nov 16, 2021, 5:40:04 PM11/16/21

to Keycloak User

Hi,

I am trying to set up my local Keycloak with two different user providers - one AD and one LDAP.

I would like to be able to let users login with the email address and either password (ad or ldap).
For doing so i try to:

disable “Login with email” in the login-settings of the realms.

set up for LDAP:
priority: 0
Username LDAP attribute: mail
RDN LDAP attribute: mail
UUID LDAP attribute: mail
Import Users: off

mapping Username: mail

set up for AD:
priority: 1
Username LDAP attribute: userPrincipalName
RDN LDAP attribute: userPrincipalName
UUID LDAP attribute: userPrincipalName
Import Users: off

mapping Username: userPrincipalName

I can login with email with LDAP. If i try the same with the AD password i will be prompted to wrong password.

I need to disable LDAP user provider, then AD starts to work.

Is there a way to establish a cascade mechanism, so if the first provider fails, and attempt with the second one is fired up with the same username - email in my case?

Thank you!

Daniel Chirca

unread,

Nov 23, 2021, 4:24:55 AM11/23/21

to Keycloak User

Any hints, please?

Niko Köbler

unread,

Nov 23, 2021, 5:33:03 AM11/23/21

to Keycloak User

No, that's not possible. It was a design decision to now allow/implement such a behavior.

It's also mentioned somewhere in the docs.

Daniel Chirca

unread,

Nov 25, 2021, 8:13:36 AM11/25/21

to Keycloak User

Thank you very much for the clarification!

Reply all

Reply to author

Forward