Federate LDAP Users Seamlessly—With Dynamic Mapping and Attribute Control

Enable secure and flexible user federation from enterprise LDAP directories. Keymate's enhanced LDAP extension provides dynamic field mapping, scoped role assignments, and smart sync strategies—all fully integrated into Keycloak.

Dynamic User Federation and Attribute Mapping via LDAP

Why It Matters

Many large organizations still rely on internal LDAP systems (such as Microsoft AD, OpenLDAP, or 389 Directory Server) for managing user identities. However, native LDAP support in Keycloak is limited in terms of flexibility and automation. Keymate's LDAP Federation Extension solves that by offering:

Dynamic mapping of LDAP attributes to Keycloak fields
Attribute-based role assignment and org mapping
Real-time on-login federation without persistent duplication
Tenant-aware logic for multi-tenant environments

This allows you to keep your LDAP authoritative while making Keycloak smarter and more adaptive.

Federate, Map, and Enrich in Real Time—No Duplication Needed

When a user logs in, this extension:

Real-Time LDAP Federation

LDAP stays the source of truth—no need for pre-synchronization or user duplication unless explicitly required.

Example: User attributes are fetched and mapped from LDAP at login time without local duplication.

Key Components:

Connects to LDAP using realm-specific configuration

Searches and retrieves the user entry by configurable filters

Maps LDAP attributes to Keycloak user fields or session notes

Enriches token or session with additional LDAP-derived context

Optionally assigns roles or org-units based on LDAP groups or OUs

Supports dynamic overrides, fallback logic, and multi-source scenarios

Extension Highlights — What Makes It Unique

Dynamic Attribute Mapping

Map LDAP fields like department, title, orgUnit to any Keycloak attribute

Scoped Role Assignment

Assign roles based on LDAP group membership or org path

Session Enrichment

Populate session notes or tokens with LDAP metadata

Multi-Directory Support

Use different LDAP settings per realm or tenant

On-Demand Federation

Users are fetched and resolved at login—no pre-sync required

Fallback & Default Handling

Supports fallback values or custom handlers for missing fields

Custom Filter Logic

Flexible LDAP filter templates for complex queries (e.g. (&(objectClass=user)(employeeType=active)))

Frequently Asked Questions

By default, no. It resolves them dynamically at login time. Optionally, you can enable auto-creation with customizable fields.

Yes. Roles can be derived based on LDAP group membership or attribute values.

Yes. It supports AD, OpenLDAP, and other standard LDAP implementations.

You can define fallbacks, default values, or mark them as optional in the mapping config.

Yes. Each realm or tenant can have its own LDAP configuration.

How to Use This Extension

Follow these steps to enable the LDAP Federation Extension.

Implementation Steps

Deploy the LDAP Federation extension into your Keycloak instance

Configure LDAP connection parameters per realm (URL, bind DN, search base)

Define dynamic mappings from LDAP attributes to Keycloak fields

Set up optional role assignment logic based on mapped attributes

Test login with LDAP users and monitor mapping results

Enable token enrichment or session logging as needed

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.