Hi,
I’ve setup Keycloak as an identity broker with Azure AD.
Everything works fine, when I trigger the login to keycloak from my webapp, I get redirect to Azure AD, do the authentication and my sample app displays my ID_token and access_token.
Of course, I’m also automatically added as a user in Keycloak.
But that’s the thing - I would like to automate that step (pre-populate Keycloak from Azure AD) - but Keycloak uses a specific Identity provider ID and Identity provider username value to do the match, and I cannot figure out where it gets that value from. I can’t find it in Azure AD - I checked all attributes of the user. I don’t see it in my JWT from Azure AD. I don’t see it in the userinfo endpoint on the Azure ID openID endpoint
It looks like this:
Identity provider ID: bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM
Identity provider username: bpnsl00svbzofb97zhswi9ksit4bazgxl2lkk2oajcm
If I pre-populate the users table with an entry with these values and link it to the IdP with these values, the login works and it picks up this ID automatically.
I enabled verbose logging and found the following in the keycloak logs:
e[0me[32m14:55:27,345 DEBUG [org.keycloak.social.user_profile_dump] (default task-9) User Profile JSON Data for provider oidc: {"sub":"bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM","name":"steve","picture":"https://graph.microsoft.com/v1.0/me/photo/$value"}
which is odd because when I query the userinfo endpoint I get
The Azure AD subject is specific to the application registration. i.e. different applications integrated to Azure AD will get different values for sub on the same account. oid is suppose to be consistent but requires the profile scope.
I’m not sure how to map a different token property into Provider User ID or Provider Username for federated identities.