我们有一个使用 Keycloak 的应用程序(当前版本为 4.8.3.Final - 计划升级到 11) 今天我们连接了ActiveDirectory,因此用户可以通过LDAP身份验证访问该软件。 现在我们想要更改 ActiveDirectory 并希望保留用户,但将它们从当前的用户联合切换到新的用户联合。
这可能吗?如果是的话我该怎么做? (我在文档中没有找到)
最佳答案
据我所知,这是不可能的,因为当您使用来自外部用户联合(即事件目录)的用户执行登录时,凭据的身份验证(即检查是否用户名/密码匹配)是在用户联合端完成的,而不是在 Keycloak 中完成的,这意味着 Keycloak 不会存储所有用户信息(例如,用户凭证)。
By default, Keycloak will import users from LDAP into the local Keycloak user database. This copy of the user is either synchronized on demand, or through a periodic background task. The single exception to this is the synchronization of passwords. Passwords are never imported. Their validation is always delegated to the LDAP server. The benefits of this approach is that all Keycloak features will work as any extra per-user data that is needed can be stored locally. The downside of this approach is that each time that a specific user is queried for the first time, a corresponding Keycloak database insert is performed.
据此可以推断,人们将无法:
Now we want to change the ActiveDirectory and would like to keep the users, but switching them from the current User Federation to the new one.
此外,从 IMO 的设计角度来看,此类功能不应由 IDP 负责。
关于active-directory - Keycloak:将用户从一个用户联盟迁移到另一个用户联盟,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67092479/