diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/kerberos.xml b/docbook/auth-server-docs/reference/en/en-US/modules/kerberos.xml
index e89df835ea..1d5a1c9beb 100644
--- a/docbook/auth-server-docs/reference/en/en-US/modules/kerberos.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/kerberos.xml
@@ -154,7 +154,7 @@ ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
- Finally run Keycloak server and configure SPNEGO/Kerberos authentication in Keycloak admin console. Keycloak supports Kerberos authentication
+ Run Keycloak server and configure SPNEGO/Kerberos authentication in Keycloak admin console. Keycloak supports Kerberos authentication
through Federation provider SPI . We have 2 federation providers with Kerberos authentication support:
@@ -185,6 +185,20 @@ ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
+
+
+ Finally you may need to check the Kerberos authenticator correctly configured. You can go to Authentication tab in
+ admin console and select Browser flow. Here you will see Kerberos authenticator, which is used by Keycloak for SPNEGO
+ handshake with client (exchange Negotiate header etc.). By default it's disabled, so Keycloak doesn't ask for Negotiate header, however once you
+ configured federation provider in previous step, it's automatically switched to ALTERNATIVE. So defacto you don't need to do anything, just
+ check that it's really switched to Alternative.
+
+
+ Alternative means that Keycloak tries to ask browser for Negotiate header, but if it's not available, it will continue on next authenticator (which usually means
+ displaying username/password form to user). You can switch to REQUIRED if you want to enforce login with
+ kerberos ticket and not allow fallback to username/password form.
+
+
diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml b/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
index f44e6ab7fe..7cbd9668f0 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
@@ -294,8 +294,24 @@
We have an example, which is showing LDAP integration and set of base mappers and sample mappers (mappers for street and postalCode) . It's in examples/ldap
in the Keycloak example distribution or demo distribution download. You can also check the example sources directly here .
+
+ Writing your own LDAP Mapper
+
+ For the more advanced usecases, you have the possibility to create your own implementation of LDAP mapper or just subclass from
+ some already existing mapper implementation. You will need to implement UserFederationMapperFactory interface. In most cases, instead of
+ creating UserFederationMapperFactory from scratch, you can create subclasses of AbstractLDAPFederationMapperFactory, which itself
+ implements UserFederationMapperFactory. Then you need to create mapper implementation, which will be subclass of
+ AbstractLDAPFederationMapper (this mapper implementation will be returned by YourAbstractLDAPFederationMapperFactorySubclass.createMapper method).
+
+
+ After your code is written you must package up all your classes within a JAR file. This jar file must contain a file called
+ org.keycloak.mappers.UserFederationMapperFactory within the META-INF/services directory of the JAR. This file is a list of fully
+ qualified classnames of all implementations of UserFederationMapperFactory. For more details, look at section for
+ Write your own federation provider and at Providers and SPI section.
+
+
-
+ Writing your own User Federation Provider
The keycloak examples directory contains an example of a simple User Federation Provider backed by