Hi,
I’m trying to get (security) groups from Azure AD into Keycloak. I’ve setup Azure AD as a OpenId Connect Identity Provider and Authorization works well (I can login to the application).
I’ve added the optional claims in Azure AD so that I get the security groups back in the access token.
I’ve activated the debut log for org.keycloak.social.user_profile_dump and I can see the Azure AD response (ie: User Profile JSON Data for provider {identity_provider}: {"sub":"ooooo","name":"X X","family_name":"xxx","given_name":"xxx","picture":"https://graph.microsoft.com/v1.0/me/photo/$value","email":"xxx@xx"}
The issues is that I don’t get the groups (or any other optional claim back so it doesn’t seem like I can use a “Claim to Role” mapper in the identity provider.
It definitely look like I’ve done something wrong as all message I found in the forum indicate that getting the claims back should be easy.
I would be grateful for any pointers or ways to identify if it’s a Keycloak misconfiguration or a Azure Ad misconfiguration (For example, I don’t get the logs for the request to Azure AD)
Thanks.