Single sign-on with Keycloak

Master of the Keys

Synchronize with LDAP

The Mappers tab lets you map individual LDAP attributes to Keycloak attributes. To the default mappers, you can add others by pressing the Create button. You will need to create a group-ldap-mapper if you want to map LDAP user groups to user groups in Keycloak. Once set up, Keycloak will do the group mapping for you, just as in LDAP.

In Settings again, select the Synchronize all users button at the bottom. Remember that if you have a large directory, you will have to wait a few moments until all users have been imported. If no users are imported for you, check the attribute settings. If this does not help, check the User Object Classes . Only entries with these classes will be imported. As soon as the users are loaded from LDAP, you will receive a message (Figure 1). You can see how many users have been synchronized and how many failed to import.

Figure 1: Message confirming successful LDAP synchronization.

Now you can check the imported users in the Users menu item. You will notice that all your users have been assigned another internal Keycloak ID. If you have imported a large number of users, you can use the Search box for a quick search. The Impersonate button lets you log in directly as a specific user.

Test Login

If you have a user account in LDAP, test logging in by trying to log in to the Administration Console. If the login works, you will see a message stating that the access is Forbidden for this user. This information is all you need to test the basic functionality. Now click on your username in the upper right corner to enter the user menu, which takes you to an overview of the applications and active sessions in use.

If you want to use a second factor for login (e.g., Google Authenticator), you can set it up in Authentication . There, grab a shot of the QR code with the smartphone app, enter the currently generated code, and, for the sake of clarity, assign a name to the device you are using. Make sure that the times shown by your server and your device are not too far apart. If you want stricter time tolerance, you can configure this in the Administration Console under Authentication | OTP Policy . Adjust the value for the Look Ahead Window to suit your requirements.


In this article, you got to know Keycloak as the central switchboard for your single sign-on. The test installation is already usable for synchronizing LDAP users and connecting applications. Beyond what is shown here, you will find many more options for configuring identity management in your organization. For example, you can also configure passwordless login with WebAuthn (FIDO2) for your users.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Single sign-on like the big guys
    Keycloak is a robust and mature project that provides a modern single sign-on authorization experience and centralized authentication of your apps.
  • Registry for Docker images
    Running your own registry for Docker images is not difficult. We'll show you how to get started using the free docker_auth software.
  • LDAP integration with popular groupware suites
    Your LDAP directory holds user data for the whole network. Why not save time and avoid duplication by integrating the LDAP directory with your groupware environment?
  • Quick and easy SaaS provisioning for OpenLDAP
    Provisioning SaaS apps for OpenLDAP users with Okta Cloud Connect lets you retain control of your users' data and access to applications, yet gives them the tools they want.
  • OpenLDAP Workshop
    Centralized user management with LDAP or Active Directory is the standard today, although many prefer to manage user data manually rather than build this kind of infrastructure. In this article, we look at a better approach with OpenLDAP.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=