Enable OTP for Federated users in Keycloak - ldap

I have an external identity provider (OpenLdap or AD). I configured Keycloak to federate the users form Ldap server. I'd like to enable OTP flow for these users without impoting them in Keycloak's database. Is there any way or procedure to do it ?

OTP belongs to the user, so user must be imported in the Keycloak DB. So you can do that, but without without importing them in Keycloak's database requirement.

Related

Can Keycloack replace dap authentication?

Sorry but it doesn't accept "hi everyone "
I have several apps which are authenticated by ldap. can keycloack replace this authentication with ldap? and in this way I do not touch to the configuration Of applications ?
Thank you
You can read this article https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/user-federation/ldap.html
By default Keycloack copy your ldap data but you can choose keycloack use your ldap data :
By default, Keycloak will import users from LDAP into the local Keycloak user database. This copy of the user is either synchronized on demand, or through a periodic background task. The one exception to this is passwords. Passwords are not imported and password validation is delegated to the LDAP server. The benefits to this approach is that all Keycloak features will work as any extra per-user data that is needed can be stored locally. This approach also reduces load on the LDAP server as uncached users are loaded from the Keycloak database the 2nd time they are accessed. The only load your LDAP server will have is password validation. The downside to this approach is that when a user is first queried, this will require a Keycloak database insert. The import will also have to be synchronized with your LDAP server as needed.
Alternatively, you can choose not to import users into the Keycloak user database. In this case, the common user model that the Keycloak runtime uses is backed only by the LDAP server. This means that if LDAP doesn’t support a piece of data that a Keycloak feature needs that feature will not work. The benefit to this approach is that you do not have the overhead of importing and synchronizing a copy of the LDAP user into the Keycloak user database

Can Keycloak provide alternative authentication if LDAP is down

Let's say I want to have keycloak synced with the LDAP and use it as the source for authentication. (I've managed to do this already)
But is there a way to let the keycloak be itself the identity provider if, for some reason, the LDAP connection is down?
First you should avoid ldap going down, by setting HA, using HAproxy and keepalived for example, as for Keycloak, you can disable "Sync Registrations" in your keycloak LDAP IDP, and create users using the admin interface, these users are stored in your local database of keycloak, and not on the LDAP so even if its goes down those users can stil get access to Keyclaok.
Refer to https://www.janua.fr/understanding-keycloak-user-federation/ for more details.
I managed to create a custom LDAP Storage Provider to do this.
check How to create a custom UserStorageSPI on Keycloak

How to authentication one website using ldap when user was authenticated on another website using ldap

User is authenticated on website using LDAP. How do I automatically authenticate the same user on another website using LDAP. The two websites are on the same domain but separate websites- they both authenticate against same LDAP store. Is an authentication token somehow passed from one to next? Or the credentials or something..? Sort of new to LDAP auth...
You can not use LDAP to achieve Single Sign On. LDAP is an 'authentication protocol' and a 'data model'.
You either need a proprietary mechanism or some standards based technology like OIDC or SAML.

External authentication via LDAP

I am doing external authentication using LDAP. I have to authenticate a user via LDAP and allow the user to access many app servers. I want to know how to map all the ldap user ( users in ldap server Example:ldap://company1.local:389) with users in Database. I have created a external configuration object and assigned to a new http server with application level authentication. I dont want to store ldap user password in database. Do I have to create all users(same as in active directory) in database with some password and map them?
Yes, it's possible to configure ML to use external authentication via LDAP:
http://docs.marklogic.com/guide/security/external-auth

WSO2 Identity Server SSO integrated with spring-security

Now I'm trying to transform two website systems to SSO authentication using WSO2 Identity Server ,these two systems have
their own authentication,one of them use spring-security to control the url Authorities,i've just cut the spring-security intercept and successfully implement SSO authentication,now I wonder if I can implement SSO integrated with spring-security ,what confuse me is the two different systems have different User entity and their own authorization strategy,should I change the struct of them to the same now ?
you can create roles of both the applications in Identity server and assign them to an user. For example, If a user has role as ADMIN in application1 and USER in application2, you can assign both the roles to the same user in ID server.
I think Spring security authentications used in your applications won't be affected because you will use only Principal values to authenticate user.