Hello,
currently, I’m facing an issue which brings me Headaches, respectively I can’t wrap my head around it.
The scenario is the following:
I have an IDP which gets the User Identity from an LDAP (MS AD). It sends GUID, sAMAccountName, etc. via SAML Token to the Keycloak Server.
The Keycloak Server acts like a Service Provider and passes the incoming SAML Data via OIDC to the Application. So far, so good.
Most of our Applications (Clients) are Using OIDC, and therefore they use the SUB Field in the JWT to Identify the user on the Application Side. The Data including in the SUB Field comes directly from the local Keycloak User-Object. Specially form the ID Field, which contains the Keycloak-UUID.
One of our Problems is, that if for some reason the user gets deleted / re-created in Keycloak, they lose all Settings, Data, etc. within ALL Applications (Clients) that uses the SUB Field. This happens because while creating a new User-Object in Keycloak, a random Keycloak UID gets generated, which gets automatically assign to the SUB Field in the JWT.
The UID from LDAP Attribute is persistent, in contrast to the Keycloak User / UID. The only source of truth for the User is the LDAP, AD, etc. and NOT Keycloak.
Is there any way to access this field and put own Data / UIDs into it? Or at least is it planned to be?
I already tried to use a Mapper for this. So “our” UID is used in the SUB Field. But unfortunately, i can’t logoff without an internal Server Error then. Which makes sense, because the Keycloak probably uses the SUB Value….and it doesn’t have the Value in the Keycloak User-Object.
Kind regard
KCNewb