> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage LDAP / AD federation

When you choose federated authentication, Keycloak connects to the provider and caches user information.

## Add a provider

1. In the Keycloak console, go to **User Federation** > **Add LDAP providers**.

   See [the official Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#_user-storage-federation) for full details about user storage federation.

   If you migrate from an older Domino version, use your `ldap.conf` from the Domino front end to see what inputs to use for the provider settings.

   Some of these inputs include:

   | ldap.conf name   | Keycloak user federation setting name |
   | ---------------- | ------------------------------------- |
   | Search principal | Bind DN                               |
   | Search base      | Users DN                              |
   | Search filter    | Additional Filtering                  |

   You can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider.

2. Use an [LDAP mapper](https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers) to import user attributes to Keycloak.

3. Follow the steps in [Synchronize SSO Group and Role](/6.3/admin/identity-and-access/authentication/sso/sso-configuration#role-synchronization) related to Client Mappers to map from Keycloak to Domino.

<Note>
  Updates to a user’s group or role will not fully synchronize to Domino until the user signs in.
</Note>

## Configure mappers

Review the LDAP mapper associated with your provider. You must make sure that there are LDAP mappers for the following attributes:

* `username`

* `firstName`

* `lastName`

* `email`

For more details, read the official Keycloak documentation on [LDAP mappers](https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers).

### Group and Role Synchronization

You can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider. Please note that the Keycloak user attributes cannot be set directly from LDAP group memberships, there have to be corresponding attributes in LDAP.

1. Use an [LDAP mapper](https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers) to import user attributes to Keycloak.

2. Follow the steps in [Synchronize SSO Group and Role](/6.3/admin/identity-and-access/authentication/sso/sso-configuration#role-synchronization) related to Client Mappers to map from Keycloak to Domino.

<Note>
  Updates to a user’s group or role will not fully synchronize to Domino until the user signs in.
</Note>

## Next steps

* [Set up Keycloak](/6.3/admin/identity-and-access/authentication/keycloak-set-up)

* [Brokered authentication through single sign-on (SSO)](/6.3/admin/identity-and-access/authentication/sso)

* [Limit concurrent user sessions](/6.3/admin/identity-and-access/authentication/limit-sessions)
