AD connected, App connected, but unable to login with AD user

Hello,

  • I have an Active Directory containing the list of my users. I use a service account to query it from Keycloak.
  • I have installed a drupal that is my test application to connect to keycloak.

=> I am able to login to drupal with the local user created inside keycloak. But I am not able to login with my users from my Active Directory, even though my test connection to my AD is working.

Here is the log (anonymized) from my keycloak server (just a standalone execution for now) :

11:16:20,179 WARN [org.keycloak.events] (default task-150) type=LOGIN_ERROR, realmId=myrealm, clientId=Drupal_client, userId=null, ipAddress=X.X.X.X, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://X.X.X.X/web/mo_login, code_id=11fcb81c-a7d0-4a28-9c65-feba62c64942, username=X.Y@Z.com, authSessionParentId=11fcb81c-a7d0-4a28-9c65-feba62c64942, authSessionTabId=fLZ7zEF8cpY

I am new to SSO / user federation. I have read a lot of things from the https://www.keycloak.org/docs/latest/server_admin/ documentation, but It’s quit complicated and I don’t get everything.

My guess is : I need to make the mapping between my application email field and my AD email field, but I don’t understand where it is in Keycloak. I have searched in the the documentation, but it’s not clear for me.

Please, can you help me to make the mapping between my client and my AD ? Or at least point me to the right part of the documentation that can help me, I am out of solution.

If you have any clue, Thank you,

Regards,

A.

PS : I am not a native english speaker, then sorry for the faults.

Ok, I finally find my trouble : I didn’t know I had to do a full sync of my user. I was thinking that my user will sync one by one when they will do there first login. I will search about that topic to try to query them as it goes along.

Thank you !

Regards,

A.