Change username in federated Windows Active Directories break user-relations

I federate several Active Directory servers from my KC 10 realm. There i use the pre2000-username as the login. What i found is that KC is storing the LDAP-ID of the users object from the federated source, so KC knows the user object without the need to rely on username/email or whatever.

When the username is changed in AD, the object in KC get’s recreated (deleted and added) on next sync, where it looses all it’s assigned groups and roles.
I thinks this must not be the case, because KC knows the object-ID and could sync the username-change on that behalf?

Is this to be considered a bug? feature request? or is it configureable somehow?

1 Like