We have an application using Keycloak (currently version 4.8.3.Final - planning to upgrade to 11) Today we have connected an ActiveDirectory, so the users can access the software via LDAP authentication. Now we want to change the ActiveDirectory and would like to keep the users, but switching them from the current User Federation to the new one.
Is that possible and if yes how can I do that? (I haven't found out in the documentation)
As far as I know that is not possible because when you perform a login with a user coming from an external user federation (i.e., active directory) the authentication of the credentials (i.e., checking if the username/password match) is done on the user federation side not in Keycloak, which means that Keycloak does not store the all the user information (e.g., the user credentials).
From the Keycloak Documentation itself:
By default, Keycloak will import users from LDAP into the local Keycloak user database. This copy of the user is either synchronized on demand, or through a periodic background task. The single exception to this is the synchronization of passwords. Passwords are never imported. Their validation is always delegated to the LDAP server. The benefits of this approach is that all Keycloak features will work as any extra per-user data that is needed can be stored locally. The downside of this approach is that each time that a specific user is queried for the first time, a corresponding Keycloak database insert is performed.
Based on that one can infer that one will not be able to:
Now we want to change the ActiveDirectory and would like to keep the users, but switching them from the current User Federation to the new one.
Moreover, from a design point of view IMO such feature should not be the responsibility of an IDP.