Blog / Articles

Keycloak LDAP User Federation Explained

George Thomas George Thomas 4 min read
User Federation - LDAP

Introduction

Many organizations need Keycloak to read user details from external directories or databases. Keycloak supports a User Federation feature that allows integration with LDAP and Microsoft Active Directory servers. It also supports extending functionality through the User Storage SPI for custom integrations.

In this article, we discuss the built-in User Federation option for integrating an LDAP server with Keycloak.

Overview

In the Keycloak Admin Console, under a realm, navigate to:

User Federation → Add LDAP Provider


This option allows you to configure an LDAP server connection. Since LDAP provider configuration values vary between LDAP servers, this article does not cover those settings in detail.

This blog discusses some of the common general settings and other details.

Authentication Flow

By default, Keycloak first checks its own internal database during authentication. If the user belongs to an external LDAP directory, Keycloak does not synchronize the password into its local database.

Instead, during login, Keycloak validates the password directly against the LDAP server.

Will Keycloak Store LDAP Users in Its Own Database?

By default, yes. This behavior is controlled by the following setting:

  • Import Users toggle button

When the Import Users toggle is enabled, LDAP users are imported and stored in the Keycloak database after their first login or user lookup.

Example Behavior

When a user logs in for the first time, or when the user appears in a search result in the Admin Console, the LDAP provider imports that user into the Keycloak database.

The imported user will have a UUID-style ID in Keycloak.

This indicates that the user data is persisted locally in the Keycloak database.

If Import Users is turned OFF:

  • Users are not permanently stored in the Keycloak database
  • The displayed ID may appear as generated/random characters
  • User data is retrieved dynamically from LDAP
Tooltip: LDAP users will be imported into the Keycloak database and synced by configured policies, with toggles for Import users (On), Sync Registrations (On), Batch size, Periodic full sync (Off), and Periodic changed (Off) in the left-side settings panel.
snippet from user federation Ldap setting

The synced user in Keycloak, will be shown as below:

Admin user details for John in a management console, showing ID and Created at fields, a tooltip about local import from UserStorageProvider, and an LDAP federation link highlighted in purple.
user properties

Password Handling

Even when users are imported into Keycloak, passwords are typically not stored locally.

The credentials section for federated users indicates that password validation is performed against LDAP.

This means:

  • User profile data may exist in Keycloak
  • Password verification still happens through the LDAP server

Edit Modes in LDAP Federation

When configuring LDAP User Federation, Keycloak requires an Edit Mode setting.

Available options are:

  • READ_ONLY
  • WRITABLE
  • UNSYNCED

READ_ONLY

In READ_ONLY mode:

  • User properties cannot be modified from Keycloak
  • Changes must be made directly in LDAP
  • Fields appear disabled in the Keycloak Admin Console

This mode is commonly used when LDAP is treated as the authoritative user store.

WRITABLE

In WRITABLE mode:

  • User data changes can be written back to LDAP
  • Updates made in Keycloak are synchronized to LDAP

If Sync Registrations is enabled:

  • Newly created Keycloak users are also created in LDAP

This mode is useful when Keycloak should actively manage LDAP users.

UNSYNCED

In UNSYNCED mode:

  • User data is imported from LDAP
  • Changes made in Keycloak are not synchronized back to LDAP

This allows local customization of imported users without affecting the LDAP directory.

Tooltip explaining LDAP modes: READ_ONLY (read-only), WRITABLE (syncs back on demand), UNSYNCED (imports only, no back-sync).
Edit mode

User Synchronization

Keycloak provides flexible synchronization options for LDAP users.

A common recommendation is:

  1. Click Synchronize all users when creating the LDAP provider
  2. Configure periodic synchronization for changed users

This ensures Keycloak remains updated with LDAP changes.

LDAP Mappers

When an LDAP provider is created, Keycloak automatically creates a set of default LDAP mappers.

LDAP mappers define how LDAP attributes are mapped to Keycloak user attributes.

Examples include:

  • username
  • email
  • first name
  • last name
  • group mappings

These mappers can be customized based on organizational requirements.

Provider Priority

Keycloak also provides a Priority setting for User Federation providers.

This becomes important when multiple providers are configured.

The priority determines:

  • The order in which providers are queried for users
  • Which provider is preferred during user lookup or user creation

LDAP Security Best Practice

When using Keycloak in production environments, LDAP communication should always use SSL/TLS.

Instead of using:

ldap://myhost.com:389

Use secure LDAP:

ldaps://myhost.com:636

When a secure LDAP URL is configured, Keycloak communicates with the LDAP server over SSL/TLS, helping protect credentials and user data during transmission.

For more details on user federation, please visit this Keycloak documentation.

Summary

LDAP User Federation in Keycloak provides a flexible mechanism for integrating external user directories without migrating all users into Keycloak.

Key features include:

  • LDAP authentication support
  • Optional local user import
  • Multiple synchronization strategies
  • Flexible edit modes
  • LDAP-to-Keycloak attribute mapping
  • Secure LDAP communication using SSL/TLS

This makes Keycloak suitable for enterprise environments where centralized identity management and integration with existing directory services are required.

About Skycloak

Skycloak is a fully managed Keycloak platform hosted in the cloud. It enables organizations to leverage the power of open-source Keycloak IAM without the operational overhead of installing, maintaining, and scaling production-grade Keycloak environments — delivered securely and cost-effectively.

If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn more

George Thomas
Written by George Thomas IAM Engineer

George is an IAM engineer with 23+ years in software engineering, including 14+ years specializing in identity and access management. He designs and modernizes enterprise IAM platforms with deep expertise in Keycloak, OAuth 2.0, OpenID Connect, SAML, and identity federation across cloud and hybrid environments. Previously at Trianz and a long-term contributor to Entrust IAM product engineering, George authors Skycloak's technical Keycloak tutorials.

View all posts

Ready to simplify your authentication?

Deploy production-ready Keycloak in minutes. Unlimited users, flat pricing, no SSO tax.

Start Free Trial Talk to Sales

Related Articles

SCIM
Articles SCIM Integration Between Okta and Keycloak May 11, 2026 · 5 min read
Authentication
Articles Okta vs Keycloak: Policies vs Authentication Flows Details April 29, 2026 · 2 min read
Purple hero banner with the word 'Workflows' in large white text; a white card displaying part of the Keycloak logo is visible below.
Articles Keycloak 26.6+ Workflows: Automating Identity April 27, 2026 · 3 min read
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman