Getting groups from Azure Active Directory IDP

Hi,

I’m looking for some examples to get group memberships from Active Directory.

This is my setup:

  • Users and groups are managed in AD
  • AD is succesfull configured as ID provider in KeyCloak

My goal is that I can see that user John Doe is a member of GroupX - which is set on AD.

What would the best approach be?

Things I have done:

  • Set the AD manifest to: “groupMembershipClaims”: “SecurityGroup”,
  • Tried to create a mapper on the IDP, but I am unsure how this is done correctly

Any advice or pointer would be great, thanks!

Maarten

Resloved:
Groups are correctly coming from AD. To use them you have to map them to Roles, based on the object-id of the Group in AD.
Ergo: AD groups are not the same as Keycloak groups.

Could you tell me how you managed to create the Mapper for Azure Groups to Keycloak roles in general. I don’t have a clue how to create those and dont find to seem anyone who has done that but you! :slight_smile:

Hi,

  • Create the Roles in Keycloak
  • On your ID provider; create a Claim to Role mapper
  • The claim is “groups”
  • The clam value is the guid of the group in Azure AD

In a simple setup, this must be sufficient. We’ve used the OpenID protocol to connect to Azure.

Please let us know if this also applies to you.

Best regards,
Maarten

I dont seem to have the option for “Claim to Role Mapper” on my IDP, only 3 Hardcoded aswell as an “Attribut” and a “Username Template Importer”. Or do you mean to configure that Claim in Azure?

Is this an oidc of saml based provider?
There are differences per protocol. I’ve used OpenID Connect (oidc).

I created the IDP in Keycloak via the “Microsoft” template. But it might work if i create a new one with OIDC instead of that. (Just a quick question for that, where do you get the needed attributes like Authentication URI from the Azure Application?)

In your Azure portal, in you app registration, at Endpoints

Thanks for sharing the knowledge. Would you be able to elaborate on the details how to

  • On your ID provider; create a Claim to Role mapper
  • The claim is “groups”

Are you able to see the azure ad groups listed somewhere in the admin console?

Thanks!

1 Like

This seems like flattening the concept of groups and roles into one, which should not be needed.

IMO there is missing a crucial option in the mappers list: Claim to Group, which allows to give a mapping of incoming group ids to keycloak group ids.

@maartenvds I am trying to do the same as what you are talking about. I’ve used OpenID Connect to connect an Azure AD, and I have defined role mappings in the IDP in keycloak where the claim value matches the AAD group id.

The issue I’m currently having is that when a new user who has been assigned all the groups in AAD connects to our application, we see a user record created in keycloak for that user, but they are not automatically getting all the relevant role-mappings from the groups in AAD. we currently need to manually add the role-mappings to the user in KeyCloak for the user to be able to use our application.

I’m just wondering how to get that user role-mapping in keycloak to automatically reflect the group assignment in AAD.

I’ve mapped the Azure AD group ID to the IDP Mapper in keycloak like this:

1 Like

Yes I’ve got that too. But we are not getting an automatic sync between users role-mapping in keycloak and their azure group membership. Is there some other bit of config I’m missing?

Note we are running key cloak 9.0.0

Hi,

When the user authenicates, then the groups are synced. In the IDP settings you can config that is forced everytime when the user authenticates.

1 Like

Which setting is that? I can’t see one in the IDP config that suggests it might have that behaviour.

Hi,
Open your IDP and set “Sync Mode” to “force”.

1 Like

I don’t have a “Sync Mode” option. It looks like this is an option that was introduced in keycloak 10. As we are currently on KeyCloak 9, I will start the process of getting our application upgraded.

I’m trying to do the same for SAML and am getting Object Id of AD groups, but not sure how to map them, Don’t have the ‘Claim to Role’ option, I do have ‘Advanced Attribute to Role’, ‘Hardcoded Role’, ‘SAML attribute to Role’

never-mind I was able to figure it out using ‘Advanced Attribute to Role’.

But, as @Morriz mentioned we need a claim to group option.
Do I raise a JIRA ticket for this?

Hi @maartenvds,

I believe I have tried what you said

  • Create the Roles in Keycloak
  • On your ID provider; create a Claim to Role mapper
  • The claim is “groups”
  • The clam value is the guid of the group in Azure AD
  • Set “Sync Mode” to “force” in IDP settings

How do I know if it is working or not? What does “claim” do in the “Identity Provider Mappers” setting?