Skip to content

Add SASL EXTERNAL authentication for LDAP federation using TLS Registry#48832

Draft
tsaarni wants to merge 1 commit intokeycloak:mainfrom
Nordix:mutual-tls-for-ldap
Draft

Add SASL EXTERNAL authentication for LDAP federation using TLS Registry#48832
tsaarni wants to merge 1 commit intokeycloak:mainfrom
Nordix:mutual-tls-for-ldap

Conversation

@tsaarni
Copy link
Copy Markdown
Contributor

@tsaarni tsaarni commented May 8, 2026
edited
Loading

Note

This is PoC for SASL EXTERNAL client certificate authentication for LDAP federation using Quarkus TLS registry.
#7365 (comment)

This change adds support for SASL EXTERNAL method, using x509 certificate as client credentials for LDAP federation. It works with both: LDAPS and LDAP + StartTLS

This is much simplified successor of #7365, replacing the custom KeyStore SPI proposal with the Quarkus TLS Registry which includes similar functionality and much more. As there is no prior precedent for using the TLS registry inKeycloak, configuration happens at the Quarkus level. Example via environment variables:

QUARKUS_TLS_LDAP_KEY_STORE_PEM__0__CERT=/path/to/ldap-admin.pem
QUARKUS_TLS_LDAP_KEY_STORE_PEM__0__KEY=/path/to/ldap-admin-key.pem
QUARKUS_TLS_LDAP_RELOAD_PERIOD=10s

For trusted certificate KC_TRUSTSTORE_PATHS is used:

KC_TRUSTSTORE_PATHS=/path/to/ca.pem

@tsaarni tsaarni mentioned this pull request May 8, 2026
Closed
@tsaarni
LDAP SASL EXTERNAL using Quarkus TLS registry credentials
a3a37c4 
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
@tsaarni tsaarni force-pushed the mutual-tls-for-ldap branch from 70e13e8 to a3a37c4 Compare May 8, 2026 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tsaarni