Configure User Federation
This API is used to create a new user federation configuration for LDAP and Active Directory servers.
Show optional properties
{
"name": "my-ldap-config",
"vendor": "AD",
"username_ldap_attribute": "cn",
"rdn_ldap_attribute": "uid",
"uuid_ldap_attribute": "uid",
"user_object_classes": "inetOrgPerson, organizationalPerson",
"connection_url": "http://<ip:port>",
"users_dn": "ou=users,dc=tco,dc=com",
"bind_dn": "ou=users",
"bind_credential": "string",
"mapper": [
{
"ldap_attribute": "cn",
"name": "my-mapper"
}
]
}
{
"name": "my-ldap-config",
"enabled": true,
"priority": 1,
"import_enabled": true,
"edit_mode": "READ_ONLY",
"sync_registration": false,
"vendor": "AD",
"username_ldap_attribute": "cn",
"rdn_ldap_attribute": "uid",
"uuid_ldap_attribute": "uid",
"user_object_classes": "inetOrgPerson, organizationalPerson",
"connection_url": "http://<ip:port>",
"users_dn": "ou=users,dc=tco,dc=com",
"bind_type": "simple",
"bind_dn": "ou=users",
"bind_credential": "string",
"advanced": {
"start_tls": true
},
"mapper": [
{
"ldap_attribute": "cn",
"name": "my-mapper"
}
]
}
Name of the user-federation configuration
If provider is disabled, it will not be considered for queries and imported users will be disabled and read-only until the provider is enabled again. The values could be true or false. The default is true
Priority of provider when doing a user lookup. Lower first.
If true, users will imported into keycloak DB and configured by the sync policies. The values could be true or false. The default is true
There are 3 possible values, READ_ONLY,WRITABLE and UNSYNCED. READ_ONLY is read-only ldap store. WRITABLE means data will be synced back to the LDAP on demand and UNSYNCED means user data will be imported but not synced back to LDAP. DEFAULT is "READ_ONLY".
Should newly created user will be created with LDAP store. Priority effect which provider is chosen to sync new user. The setting is applied only for WRITABLE edit mode.
LDAP vendor (provider). For Active Directory use 'AD' and for 'Redhat directory server' use 'rhds'.
Name of LDAP attribute which is mapped as keycloak user name. For many LDAP server vendor it can be uid. For active directory it can be sAMAccountName" or cn. The attribute should be filed for all user records you want to import from LDAP to keycloak.
The name of attribute which is used as RDN(top attribute) of typical user DN. Usually its same as LDAP Username attribute, however its not required. For example for Active directory its common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'.
Name of the LDAP attribute which is used as unique object identifier for objects in LDAP.
All values of LDAP Object class attribute for users in LDAP divided by comma.
Connection url to your ldap server.
Full DN of LDAP tree where your users are.
Type of Authentication method used during LDAP bind operation.Supported values are 'simple' and 'none'. Default is 'simple'
DN of ldap admin which will be used by Keycloak to access LDAP server.
Password of LDAP admin.
The request body contains advanced parameter to configure user preference.
Created
{
"id": "3b0f3634-dd06-4d88-b947-ae42a1a6f68b"
}
The newly created unique user federation id.
Response Headers
Provide information about the location of a newly created resource.
Invalid Request sent by the user
User authentication failed
Access to the requested resource/operation is forbidden
Cannot find requested resource
Internal server error