[22.0.4+] Keycloak User Federation Configuration (LDAP/AD)
- Space Sync for Confluence
Analytics
The authentication protocol that the customer decides to use is different per use case. Below is some guidance on how to configure a User Federation in Keycloak.
Configuring the User Federation
As we’re looking to authorize our users for the GetVisiblity dashboard (not Keycloak itself), make sure that it’s the gv realm selected in the top left, not master (unless you’re looking to authorize LDAP users to use Keycloak):
Click on the User Federation menu item on the left pane. This should load a list of configured user federations (none at first).
Click on Add Ldap providers to load the LDAP (Lightweight Directory Access Protocol) configuration
Update the Connection URL field to reflect the LDAP server address where the Active Directory is hosted
Click on the button Test connection to test the connection from the Keycloak instance to the LDAP server address.
This should succeed quickly. If it hangs, the LDAP server (i.e. a domain controller) may be blocking connections from the Keycloak server address (i.e. the IP of the server running the GetVisibility product). You may need to use the Public IP address of the LDAP server.Update the Bind DN field to reflect the user used to access the LDAP server. In this case, the user with username “admin” from the domain “domain.com”.
For Active Directory, the value for the Bind DN field could be serviceaccount@MY-AD-DC.LOCAL.
Update the Bind credentials field (see the above image) to contain the password used to access the LDAP server
Click “Test authentication” to confirm that the provided credentials work as expected:
Update the Users DN field to contain the Full DN of the LDAP tree where your users are.
The above value for the “Users DN” field will import all users to the gv realm. All users within the “domain.com” domain will get full administrative access for the GetVisiblity dashboard.
If this is not desired, make restrictions to which users are imported, e.g. CN=MyGroup,OU=Users,DC=MyDomain,DC=com
For AD Server federation, some may prefer to configure the Username LDAP attribute as sAMAccountName or userPrincipalName. See User Naming Attributes - Win32 appsand Active Directory LDAP Field Mappings.
(Optional) Within Synchronization settings, set up automatic synchronization of users from the LDAP Active Directory to Keycloak.
You can configure the auto-synchronization settings here if you like.Click the Save button at the bottom of the screen.
Synchronizing the Users to Keycloak DB
To get the users into the Keycloak DB, we need to synchronize the users for the first time (before the automatic synchronization happens, if applicable).
This is one simple step:
Click the button Synchronize all users to immediately fetch all of the LDAP Active Directory users and load them into the Keycloak instance DB
Troubleshooting Keycloak LDAP integration
Usually, any issues that occur during the LDAP Active Directory configuration process above will be related to Network accessibility concerns or authentication credentials being incorrect.
However, if you require any additional support or your problem is not easily resolved by troubleshooting Network communications and authentication details, please reach out to our support at support@getvisibility.com
Related content
Classified as Getvisibility - Partner/Customer Confidential