Resloved:
Groups are correctly coming from AD. To use them you have to map them to Roles, based on the object-id of the Group in AD.
Ergo: AD groups are not the same as Keycloak groups.
Could you tell me how you managed to create the Mapper for Azure Groups to Keycloak roles in general. I don’t have a clue how to create those and dont find to seem anyone who has done that but you!
I dont seem to have the option for “Claim to Role Mapper” on my IDP, only 3 Hardcoded aswell as an “Attribut” and a “Username Template Importer”. Or do you mean to configure that Claim in Azure?
I created the IDP in Keycloak via the “Microsoft” template. But it might work if i create a new one with OIDC instead of that. (Just a quick question for that, where do you get the needed attributes like Authentication URI from the Azure Application?)
@maartenvds I am trying to do the same as what you are talking about. I’ve used OpenID Connect to connect an Azure AD, and I have defined role mappings in the IDP in keycloak where the claim value matches the AAD group id.
The issue I’m currently having is that when a new user who has been assigned all the groups in AAD connects to our application, we see a user record created in keycloak for that user, but they are not automatically getting all the relevant role-mappings from the groups in AAD. we currently need to manually add the role-mappings to the user in KeyCloak for the user to be able to use our application.
I’m just wondering how to get that user role-mapping in keycloak to automatically reflect the group assignment in AAD.
Yes I’ve got that too. But we are not getting an automatic sync between users role-mapping in keycloak and their azure group membership. Is there some other bit of config I’m missing?
I don’t have a “Sync Mode” option. It looks like this is an option that was introduced in keycloak 10. As we are currently on KeyCloak 9, I will start the process of getting our application upgraded.
I’m trying to do the same for SAML and am getting Object Id of AD groups, but not sure how to map them, Don’t have the ‘Claim to Role’ option, I do have ‘Advanced Attribute to Role’, ‘Hardcoded Role’, ‘SAML attribute to Role’