Configure User Federation

Configure User Federation

This API is used to create a new user federation configuration for LDAP and Active Directory servers.

Request
URI
POST
https://{api_host}/tcsa.host.com/tcsa/api/auth-management/v1/user-federations
COPY
Request Body
UserFederationRequest of type(s) application/json
Required

Show optional properties

{
    "name": "my-ldap-config",
    "vendor": "AD",
    "username_ldap_attribute": "cn",
    "rdn_ldap_attribute": "uid",
    "uuid_ldap_attribute": "uid",
    "user_object_classes": "inetOrgPerson, organizationalPerson",
    "connection_url": "http://<ip:port>",
    "users_dn": "ou=users,dc=tco,dc=com",
    "bind_dn": "ou=users",
    "bind_credential": "string",
    "mapper": [
        {
            "ldap_attribute": "cn",
            "name": "my-mapper"
        }
    ]
}
{
    "name": "my-ldap-config",
    "enabled": true,
    "priority": 1,
    "import_enabled": true,
    "edit_mode": "READ_ONLY",
    "sync_registration": false,
    "vendor": "AD",
    "username_ldap_attribute": "cn",
    "rdn_ldap_attribute": "uid",
    "uuid_ldap_attribute": "uid",
    "user_object_classes": "inetOrgPerson, organizationalPerson",
    "connection_url": "http://<ip:port>",
    "users_dn": "ou=users,dc=tco,dc=com",
    "bind_type": "simple",
    "bind_dn": "ou=users",
    "bind_credential": "string",
    "advanced": {
        "start_tls": true
    },
    "mapper": [
        {
            "ldap_attribute": "cn",
            "name": "my-mapper"
        }
    ]
}
string
name
Required

Name of the user-federation configuration

boolean
enabled
Optional

If provider is disabled, it will not be considered for queries and imported users will be disabled and read-only until the provider is enabled again. The values could be "true" or "false". The default is "true"

integer
priority
Optional

Priority of provider when doing a user lookup. Lower first.

boolean
import_enabled
Optional

If true, users will imported into keycloak DB and configured by the sync policies. The values could be "true" or "false". The default is "true"

string
edit_mode
Optional

There are 3 possible values, READ_ONLY,WRITABLE and UNSYNCED. READ_ONLY is read-only ldap store. WRITABLE means data will be synced back to the LDAP on demand and UNSYNCED means user data will be imported but not synced back to LDAP. DEFAULT is "READ_ONLY".

boolean
sync_registration
Optional

Should newly created user will be created with LDAP store. Priority effect which provider is chosen to sync new user. The setting is applied only for WRITABLE edit mode.

string
vendor
Required

LDAP vendor (provider). For Active Directory use 'AD' and for 'Redhat directory server' use 'rhds'.

string
username_ldap_attribute
Required

Name of LDAP attribute which is mapped as keycloak user name. For many LDAP server vendor it can be uid. For active directory it can be sAMAccountName" or cn. The attribute should be filed for all user records you want to import from LDAP to keycloak.

string
rdn_ldap_attribute
Required

The name of attribute which is used as RDN(top attribute) of typical user DN. Usually its same as LDAP Username attribute, however its not required. For example for Active directory its common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'.

string
uuid_ldap_attribute
Required

Name of the LDAP attribute which is used as unique object identifier for objects in LDAP.

string
user_object_classes
Required

All values of LDAP Object class attribute for users in LDAP divided by comma.

string
connection_url
Required

Connection url to your ldap server.

string
users_dn
Required

Full DN of LDAP tree where your users are.

string
bind_type
Optional

Type of Authentication method used during LDAP bind operation.Supported values are 'simple' and 'none'. Default is 'simple'

string
bind_dn
Required

DN of ldap admin which will be used by Keycloak to access LDAP server.

string
bind_credential
Required

Password of LDAP admin.

advanced
Optional

The request body contains advanced parameter to configure user preference.

mapper
Required

mapper

Authentication
This operation uses the following authentication methods.
Responses
201

Created

Returns UserFederationCreateResponse of type(s) application/json
{
    "id": "3b0f3634-dd06-4d88-b947-ae42a1a6f68b"
}
string
id
Required

The newly created unique user federation id.

Response Headers

string
Location

Provide information about the location of a newly created resource.


400

Invalid Request sent by the user

Operation doesn't return any data structure

401

User authentication failed

Operation doesn't return any data structure

403

Access to the requested resource/operation is forbidden

Operation doesn't return any data structure

404

Cannot find requested resource

Operation doesn't return any data structure

500

Internal server error

Operation doesn't return any data structure