Active Directory as a User Federation in Keycloak

If you want to know how to connect an Active Directory to Keycloak through LDAP as a User Federation, You have come to the write place. I will go through the process step by step with commentary for more clarity.

Prerequisites

All you will need is Keycloak and an active directory you can connect to. But windows 10 does not allow users to create an active directory. You will need a Windows Server for that and a virtual machine is the easiest way to set one up. So If you are on windows 10 and don’t have an active directory, check out my other articles on Creating a Windows Server Virtual Machine and creating an Active Directory in a Windows Server.

Assuming that you have the perquisites checked, we will now move further step by step.

1. When you log into Keycloak for the first time, there will only be one realm, the master realm. To create a new realm, click on the little arrow next to the label ‘master’ in the upper left corner and click ‘Add realm’.

2. Choose a name for your new realm and click ‘Create’.

3. Now click on ‘User Federation’ on the left pane to navigate to user federation window. Select ‘ldap’ from the drop down selector to navigate further.

4. In the ‘Add user storage provider’ window, there is a lot to fill up. But i will go through them one by one.

5. Select ‘Active Directory’ as the vendor to fill the fields ‘Username LDAP attribute’, ‘RDN LDAP attribute’, ‘UUID LDAP attribute’ and ‘User Object classes’ automatically.

As the connection url, use ‘ldap://’ followed by your domain name. Since my domain name was ‘chain.demo’, I used ‘ldap://chain.demo’. Click on ‘test connection’ to see if the LDAP connection works.

Type ‘dsquery user -name ’ followed by the administrator’s name to get the ‘Bind DN’ and ‘Users DN’. Use the administrator password as the ‘Bind Credentials’ and click ‘Test Authentication’ to check whether it is correct.

Click ‘Save’ to finish up.

Now we will test whether what we did so far works or not.

6. Click ‘Clients’ in the left pane to navigate to clients window. Click the account-console base URL.

7. By clicking ‘Sign in’ button in the upper left corner to navigate to sign in page.

8. Use the credentials of any user in your active directory to sign in.

9. Voila, we just authenticated a user using an Active Directory. You can see that users account now.

10. To see the user we just tested, navigate to the Users tab by clicking ‘Users’ in the left pane and click ‘View all users’.

Congratulations! You have now connected an Active Directory as a User Federation in Keycloak.