Zum Hauptinhalt springen

Übersicht

Casdoor stores users in its user table. When you adopt Casdoor, you don’t have to migrate users manually—use a syncer to import and keep user data in sync from your existing source.

Supported syncers

Casdoor supports these syncer types:

  • Database: Synchronize users from any database supported by Xorm (MySQL, PostgreSQL, SQL Server, Oracle, SQLite). See database syncer.
  • Azure AD: Synchronize users from Azure Active Directory using Microsoft Graph API. See Azure AD syncer.
  • Active Directory: Synchronize users from Microsoft Active Directory via LDAP. See Active Directory syncer.
  • Google Workspace: Synchronize users from Google Workspace using Admin SDK API. See Google Workspace syncer.
  • Keycloak: Import users directly from Keycloak databases. See Keycloak syncer.
  • Okta: Synchronize users from Okta via the Okta Users API. See Okta syncer.
  • SCIM: Pull users from any SCIM 2.0-compliant identity provider. See SCIM syncer.
  • AWS IAM: Import users and groups from an AWS account via the IAM API. See AWS IAM syncer.
  • WeCom: Fetch users from WeCom organizations via API. See WeCom syncer.
  • DingTalk: Import users from DingTalk organizations via API. See DingTalk syncer.
  • Lark: Import users from Lark (Feishu) organizations via the Lark Open Platform API. See Lark syncer.

All syncers share a common interface, so new sources can be added without changing the rest of the system.

Supported user attributes

Syncers can map a wide set of attributes: profile data, credentials (passwords, WebAuthn, MFA), security settings (IP allowlist, verification), and activity (login history, password changes). Complex data (e.g. WebAuthn credentials, Face ID) is stored as JSON.

Sync and change detection

Casdoor computes a hash per user from fields such as password and phone. When the hash for a given user Id changes, Casdoor treats that user as updated and applies the change. This allows two-way sync between the Casdoor user table and the source system.

Password handling

When the remote source does not provide a password value for a user (the field is empty or not mapped), the syncer skips the password column entirely and leaves the existing password in Casdoor unchanged. This prevents remote systems from accidentally clearing passwords that users have set directly in Casdoor.