Hello,
I am currently trying to get the groups from Azure Active Directory to Keycloak. Azure is registered in keycloak as an identity provider with the “Microsoft” setting.
I tried to follow the advices from http://keycloak.discourse.group/t/getting-groups-from-azure-active-directory-idp/590 and created a mapper for the provider with these settings:
Sync Mode Override: force
Mapper Type: Attribute Importer
Social Profile JSON Field Path: groups
User Attribute Name: role
Yes, I got it today. This is the solution (I assume that the application is registered in Active directory):
Add Microsoft Active Directory as an identity provider: Identity Providers -> Add provider… -> OpenID Connect v1.0 (don’t choose Microsoft, like I did. It won’t work!)
Configure it. My configuration is: Display Name: AAD (choose whatever you want) Enabled: On Trust Email: On (my setting. Not important for this problem) Authorization URL: … Token URL: … User Info URL: … Client ID: id from your application registered in active directory Client Secret: the secret in active directory for your application Issuer: https://login.microsoftonline.com/{tentant}/v2.0 (not necessary)
The rest has its default setting.
The urls can be found here: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
(As a new user, I can only put two links in a post)
Note that they depend on whether your application is single or mutlitenant.
Save and add the redirect url in active directory (Your application -> Authentication -> Redirect URIs).
Go to this identity provider and go to Mappers. Create a new one.
The setting of the mapper: Name: Whatever you want Sync Mode Override: What ever you want. I have “force” but “inherit” is fine, too. Just read the info for it. Mapper Type: Claim to Role Claim: groups (that’s the name of the groups claim in the JWT coming from active directory) Claim Value: The group that you want to be mapped. Unfortunately, AAD puts the ids of the groups inside of the token, so you will probably get something like: “7fd1e321-4234-45de-fa21-fffdf215d21f”. Role: The role that the user should get, if he has the claim value that you’ve specified.
This means that every group that you want to map, needs a mapper and the role that it should be mapped to.
Note that for this to work, you need some settings inside of AAD. Otherwise AAD won’t put the groups claim inside the token. The setting for this is:
Go to your application in AAD -> Manifest -> set “groupMembershipClaims” to “SecurityGroup” or “All”. I have “All”.
Not sure if that’s the default, but in “Token configuration” -> Add groups claim
Hi @shrivastavshubham34@Shryne Could you please share the exact mapper configuration. I am facing challenges in restricting access specific to AD security group.
All the users of Azure AD are able to login to the URL
This post was very helpful to us, very good information, so I though I give something back to the community. In our process we learned the following:
In Keycloak you need to use the type “OpenID Connect” provider instead of Microsoft, otherwise the Claim to Role will not show up in the menu.
You need a Client Scope with the name groups, and nothing else
You need to add this new scope to each Keycloak client that you are using
If your users have a lot groups in AD you might need to limit the number of groups included in the token (see Token Configuration under your App Registration in Azure). In our case the mapping of accounts of > 100 groups was not working, while accounts with fewer groups were working fine. After limiting the number of groups all accounts work fine now.