User Federation
Last updated
Last updated
It enables ZTrust to establish connections with external user databases.
Upon selecting Add Kerberos providers, you will be directed to the screen below.
This indicates the display name of the provider when linked in the admin console.
This refers to the complete name of the server principal for the HTTP service, including the server and domain name.
This refers to the complete name of the server principal for the HTTP service, including the server and domain name.
This indicates the location of the Kerberos KeyTab file containing the credentials of the server principal.
This toggle button, when activated (toggled ON), enables debug logging to standard output for the Krb5LoginModule.
When deactivated (toggled OFF), debug logging is disabled.
You can adjust this setting based on your requirements by toggling it ON or OFF.
This toggle button, when activated (toggled ON), enables the option for username/password authentication against the Kerberos database.
When deactivated (toggled OFF), this option is disabled.
You can adjust this setting based on your requirements by toggling it ON or OFF.
This setting has two values:
READ_ONLY: Indicates a read-only LDAP store.
UNSYNCED: Implies that user data will be imported but not synced back to LDAP.
You can choose the most suitable option from the dropdown based on your needs.
It is a toggle button, when enabled (turned ON), profile has to be updated on first login.
When disabled (toggled OFF), update profile after first login is not required.
You can toggle it ON or OFF based on your requirements.
This is the cache policy for this storage provider, which can have the following values:
Default: Indicates whatever the default settings are for the global cache.
Evict_Daily: Specifies the time of day every day that the cache will be invalidated.
Evict_Weekly: Indicates the day of the week and time the cache will be invalidated.
Max_Lifespan: Refers to the time in milliseconds that will be the lifespan of a cache entry.
No_Cache: Indicates that no cache invalidation is required.
You can choose the most suitable option based on your needs.
After making some changes, if you want to apply those changes, click on Save to implement those changes.
If you decide not to apply the changes, click on Cancel to discard them.
Upon selecting LDAP, you will be directed to the following screen.
This indicates the display name of the provider when linked in the admin console.
This indicates the LDAP vendor or provider.
You can select the most suitable option based on your requirements from the dropdown menu.
This indicates the connection URL to your LDAP Server.
This toggle button, when activated (toggled ON), encrypts the connection to LDAP using STARTTLS, which disables connection pooling.
When deactivated (toggled OFF), there is no encryption applied.
You can adjust it according to your needs by toggling it ON or OFF.
This setting specifies whether the LDAP connection will utilize the truststore SPI with the configured truststore. It can take two values:
Always: It will always use the truststore SPI.
Never: It will not use the truststore SPI.
You can select the most suitable option from the dropdown based on your requirements.
This toggle button, when activated (toggled ON), indicates that ZTrust should use Connection Pooling for accessing the LDAP Server.
When deactivated (toggled OFF), ZTrust does not use Connection Pooling.
You can adjust this setting according to your requirements by toggling it ON or OFF.
This setting determines the LDAP connection timeout duration, measured in milliseconds.
This specifies the type of authentication method used during LDAP Bind operation, which is utilized in most requests sent to the LDAP server.
It can have two values:
None: Indicates anonymous LDAP authentication.
Simple: Refers to Bind Credential + Bind Password authentication.
You can select the preferred option from the dropdown according to your requirements.
It refers to the DN of LDAP Admin, which will be used by ZTrust to access LDAP
This specifies the password of LDAP Admin.
This setting has three values:
READ_ONLY: Indicates a read-only LDAP store.
WRITABLE: Signifies that data will be synced back to LDAP on demand.
UNSYNCED: Implies that user data will be imported but not synced back to LDAP.
You can choose the most suitable option from the dropdown based on your needs.
This specifies the full DN of the LDAP tree where your users are located.
This DN is a parent of LDAP Users.
This specifies the name of the LDAP attribute that is mapped as the Keycloak username.
It indicates the name of the LDAP attribute that is used as the RDN (top attribute) of the typical user DN.
Typically, it is the same as the username LDAP attribute, but it is not required to be so.
This specifies the name of the LDAP attribute that is used as the unique object identifier for objects in LDAP. While for many LDAP server vendors it is the entry UUID, some may use different attributes.
If your LDAP server does not support the notion of UUID, you can choose any other attribute that is supposed to be unique among LDAP users in the tree.
It specifies the objectClass attribute values for users in LDAP, separated by commas.
When new ZTrust users are created, they will have all these object classes assigned.
Existing LDAP user records will only be retrieved if they include all of these object classes.
This pertains to the additional LDAP filter used for filtering searched users.
If you don't want any additional filter, you can leave this field empty.
This setting can have two values:
One Level: The search applies only to users in the DNs specified by the User DNs.
Subtree: The search applies to the entire subtree.
You can select your preferred option from the dropdown based on your requirements.
This setting specifies the LDAP read timeout duration, measured in milliseconds.
It applies to LDAP read operations.
This toggle button, when activated (toggled ON), indicates that the LDAP server supports pagination. When deactivated (toggled OFF), the LDAP server does not support pagination.
You can adjust it according to your requirements by toggling it ON or OFF.
This setting determines whether LDAP referrals should be followed or ignored. If referrals are enabled, authentication may slow down since the LDAP server can direct queries to other LDAP servers, potentially including untrusted ones.
This toggle button, when activated (toggled ON), indicates that LDAP users will be imported into the Keycloak database and synced according to the configured sync policies.
When deactivated (toggled OFF), the users will not be imported.
You can adjust this setting according to your requirements by toggling it ON or OFF.
This toggle button, when activated (toggled ON), indicates that newly created users will be created within the LDAP Store.
The priority affects which provider is chosen to sync the new user.
When deactivated (toggled OFF), newly created users will not be created within the LDAP Store.
You can adjust this setting according to your requirements by toggling it ON or OFF.
This indicates the count of LDAP users that must be imported from LDAP to ZTrust within a single transaction.
This toggle button, when activated (toggled ON), enables full synchronization of LDAP users to Ztrust. When deactivated (toggled OFF), full synchronization of LDAP users is disabled.
You can adjust this setting based on your requirements by toggling it ON or OFF.
Enabling this option activates another field called Full Sync Period.
This specifies the duration for full synchronization in seconds.
This toggle button, when activated (turned ON), enables periodic synchronization of changed or newly created LDAP users to ZTrust.
When deactivated (turned OFF), periodic synchronization of changed or newly created LDAP users to ZTrust will not be enabled.
You can adjust this setting based on your requirements by toggling it ON or OFF.
When enabled, it will also enable another field - Changed Users Sync Period
This specifies the duration for the synchronization of changed or newly created LDAP users in seconds.
This toggle button, when activated (toggled ON), allows HTTP authentication of users with SPNEGO/Kerberos tokens. User authentication data will be provisioned from this LDAP Server.
When deactivated (toggled OFF), HTTP authentication of users with SPNEGO/Kerberos tokens is disabled.
You can adjust it according to your requirements by toggling it ON or OFF.
Once enabled (toggled ON), it will enable the below settings
It specifies the name of the Kerberos realm that you want to integrate with your LDAP system.
It refers to the complete name of the server principal for the HTTP service, including both the server and domain name.
It indicates the location of the Kerberos KeyTab file, which contains the credentials of the server principal.
It denotes the LDAP attribute name that corresponds to the Kerberos principal. This attribute is used to locate the appropriate LDAP users following successful Kerberos authentication.
If left empty, the LDAP user will be identified based on the LDAP username that matches the first part of the Kerberos principal.
It is a toggle button, when enabled (toggled ON), activates debug logging to the standard output for Krb5LoginModule.
When toggled OFF, it deactivates this debug logging.
You can toggle it ON or OFF based on your needs.
This toggle button, when activated (toggled ON), utilizes the Kerberos login module to authenticate username/password against the Kerberos server instead of authenticating against the LDAP server with Directory Service API.
When deactivated (toggled OFF), the Kerberos login module is not used.
You can adjust this setting according to your requirements by toggling it ON or OFF.
This is the cache policy for this storage provider, which can have the following values:
Default: Indicates whatever the default settings are for the global cache.
Evict_Daily: Specifies the time of day every day that the cache will be invalidated.
Evict_Weekly: Indicates the day of the week and time the cache will be invalidated.
Max_Lifespan: Refers to the time in milliseconds that will be the lifespan of a cache entry.
No_Cache: Indicates that no cache invalidation is required.
You can choose the most suitable option based on your needs.
This toggle button, when activated (toggled ON), enables the use of the LDAPv3 Password Modify Extended Operation (RFC-3062). The Password Modify Extended operation typically requires that LDAP users already have passwords in the LDAP server.
When deactivated (toggled OFF), the Password Modify Extended Operation cannot be used.
You can adjust it according to your needs by toggling it ON or OFF.
This toggle button, when activated (toggled ON), indicates that ZTrust should validate the password with the realm password policy before updating the LDAP mapped user.
When deactivated (toggled OFF), the ZTrust Password Policy would not be applied, meaning that the password will be updated on the LDAP Server unless the LDAP Server itself has some password policy rules.
You can adjust it according to your needs by toggling it ON or OFF.
This toggle button, when activated (toggled ON), indicates that the email provided by this provider is not verified, even if verification is enabled for the realm.
When deactivated (toggled OFF), the provided email needs to be verified.
You can adjust it according to your requirements by toggling it ON or OFF.
After making some changes, if you want to apply those changes, click on Save to implement those changes.
If you decide not to apply the changes, click on Cancel to discard them.
