KB Article #178566
SecureTransport and Keycloak 2.5.5 limitations
Problem
Keycloak allows the import of LDAP users (LDAP cached mode) into its database, so that requests are not send to LDAP each time a user logs in.
However, the import fails for users, when their email address is not unique.
Resolution
There are several possible workarounds, depending on the specific use case:
- Do not map the mail attribute in Keycloack (in this case the mail attribute would not be available in SecureTransport);
- Do not use the LDAP cached mode in Keycloak;
- Change the email addresses of users so that they are all unique.