Flexible Login with Multiple Identifiers and Credential Sources

Support login with email, username, passport, or national ID—plus credentials from legacy IAMs, HRMS, or core banking systems. Deliver frictionless access without compromising identity consistency or security.

Why It Matters

Enterprises often maintain multiple identity sources and login conventions. Public-sector or citizens use national ID numbers. Cross-border users authenticate with passport or tax IDs. Banks, HRMS, and legacy systems store existing credentials.

With Keymate's Multi-Identifier Login, you can:

Key Components:

Allow login using external IAM or core system credentials

Support multiple unique identifiers without duplicating accounts

Apply different authentication flows per identifier source

Migrate gradually from legacy systems using existing credentials

Bring Your Own Identifier—and Credential Source

User enters any identifier: email, national ID, or external user ID. Identifier is matched in Keycloak or federated source. If needed, login is delegated to a legacy IAM, HRMS, or core banking service. MFA or risk-based flows apply based on context. Successful login, with full traceability.

Supported Identifiers & Credential Sources

Key Components:

Email, username

Passport or national ID (SSN, Aadhaar, NIN)

Taxpayer or registry ID

External IAM or core system username

HRMS employee ID or personnel code

Keycloak internal DB

LDAP/Active Directory

Legacy IAM via authenticator proxy

Core banking or external systems via Keymate Gateway

Extension Highlights — What Makes It Unique

Multiple Identifiers

Match user via any of several attributes (email, ID, passport, etc.)

External Credential Delegation

Delegate login to external systems like legacy IAM or banking apps

Source-Specific Policies

Define MFA/risk rules based on identifier type or credential source

Seamless Federation

Combine internal and federated sources into a unified login experience

Full Audit Trail

Track which identifier and which system handled the authentication

Frequently Asked Questions

Yes. You can allow users to continue logging in with their legacy credentials—even while transitioning to Keycloak.

Absolutely. Use a proxy-based login extension to validate credentials in core banking systems without duplicating user data.

Keymate can auto-provision the user in Keycloak and enrich their token using upstream attributes.

Yes. All credential checks, MFA flows, and audit logs comply with enterprise security policies.

How to Use This Feature

Follow these steps to enable:

Install the Multi-Identifier Authenticator extension

Configure attribute match rules per tenant or realm

Optionally integrate external credential validation (e.g., via proxy or LDAP)

Set source-specific MFA and risk policies

Monitor audit logs and tune policies accordingly

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.