How does Keycloak get 'Identity Provider ID' or 'username' from Azure AD?

Hi,
I’ve setup Keycloak as an identity broker with Azure AD.
Everything works fine, when I trigger the login to keycloak from my webapp, I get redirect to Azure AD, do the authentication and my sample app displays my ID_token and access_token.
Of course, I’m also automatically added as a user in Keycloak.
But that’s the thing - I would like to automate that step (pre-populate Keycloak from Azure AD) - but Keycloak uses a specific Identity provider ID and Identity provider username value to do the match, and I cannot figure out where it gets that value from. I can’t find it in Azure AD - I checked all attributes of the user. I don’t see it in my JWT from Azure AD. I don’t see it in the userinfo endpoint on the Azure ID openID endpoint

It looks like this:
Identity provider ID: bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM
Identity provider username: bpnsl00svbzofb97zhswi9ksit4bazgxl2lkk2oajcm

If I pre-populate the users table with an entry with these values and link it to the IdP with these values, the login works and it picks up this ID automatically.

But how do I get the Identity provider ID?

Any suggestions? (using Keycloak 11.0.2)

3 Likes

I enabled verbose logging and found the following in the keycloak logs:

e[0me[32m14:55:27,345 DEBUG [org.keycloak.social.user_profile_dump] (default task-9) User Profile JSON Data for provider oidc: {"sub":"bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM","name":"steve","picture":"https://graph.microsoft.com/v1.0/me/photo/$value"}

which is odd because when I query the userinfo endpoint I get

{
    "sub": "1CBzJUoVxGqU6-mXKLhOF58xR9-FfSBKqUB2Rl24g8c",
    "name": "steve",
    "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
}

@tvdvoorde were u able to get a solution for this?
I am also facing this issue, any help would be greatly appreciable.

1 Like