LDAP and WildFly part 2: Using Keycloak

In the second tutorial about LDAP and WildFly we will learn how to create an LDAP based User Federation configured on Keycloak.

If you are new to Keycloak please refer to the base documentation: http://keycloak.jboss.org/docs. We have also provided two tutorials which could be a good start as well:

Keycloak can federate external user databases. Out of the box there's support for LDAP and Active Directory.

Shortcut!

If you want to get started quickly, simply import the Ldap-demo Realm which is available on GitHub: https://github.com/keycloak/keycloak/blob/master/examples/ldap/ldaprealm.json.

keycloak ldap tutorial wildfly

Next move to "Configure your Web application" section.

Configuring LDAP User Federation

In order to configure a federated LDAP store go to the Keycloak admin console: http://localhost:8080/auth/admin. You should start creating a new Realm to be used by your applications:

keycloak ldap tutorial wildfly

Next, select your Realm and click on the Users Federation menu option to get you to the User Federation page. When you get to this page, there is an "Add Provider" select box. You should see "ldap" within this list. Selecting "ldap" will bring you to the ldap configuration page. We will add here the ApacheDS LDAP settings, which are the same we have covered in the first tutorial:

keycloak ldap tutorial wildfly

Verify at fist that the connection is OK by clicking on the Test connection. Next verify also the authentication against the default ApacheDS bind DN: "uid=admin,ou=system"

Mappers

Out of the box, Keycloak is configured to import only username, email, first and last name, but you are free to configure mappers and add more attributes or delete default ones. It supports password validation via LDAP/AD protocols and different user metadata synchronization modes.

Here is the full list of attributes for our schema:

keycloak ldap tutorial wildfly

Clients configuration

Complete your configuration by generating a Client which will let you generate and install the configuration on your application. From the Clients menu, click on create an choose a Base URL for your application, such as "ldap-portal".

keycloak ldap tutorial wildfly

Save your configuration. Next step will be Exporting the client configuration in JSON or XML format. Click on the ldap-app:

keycloak ldap tutorial wildfly

Select the Installation tab and the Format Option (in our case JSON). Once done, click on Download and save it locally with a name such as keycloak.json.

keycloak ldap tutorial wildfly

Configure your Web application

Configuring your Web application requires two simple steps:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <module-name>ldap-portal</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>LDAPApp</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ldap-user</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>does-not-matter</realm-name>
    </login-config>

    <security-role>
        <role-name>ldap-user</role-name>
    </security-role>
</web-app>

Now test an Test the example. In your web browser point to http://localhost:8080/ldap-portal . You can login either as jbrown with password password or as bwilson with password password . You can see that access token contains all the claims and role mappings corresponding to the LDAP data provided in LDIF.

Follow us on Twitter