Hi!
I am currently trying to figure out matching options for Azure AD users and Keycloak identities. Based on my research so far it seems the only attribute by which the matching can be done is email, which in my opinion is not ideal as it can change over time. Please see details below.
Tested scenario details:
- Azure AD is configured as IdP through oidc - works as expected
- All identities already exist in Keycloak and have specific ID in attribute (for example called “uid”)
- Some of mentioned identities in Keycloak belong to users in Azure AD. Those users can also have the specific ID mapped to them and this attribute can be configured to be accessible in the tokens
- I have created new Authentication flow - “Detect existing broker user” (required) and “Automatically set existing user” (required) - this works as intended - all users logged through Azure AD IdP must be matched with existing Keycloak account
- Keycloak version is 19.0.1
With the flow described in point 4, it however seems that only email can be used for matching. I have not found anything in documentation that would point me in the right direction (e.g. reconfigure which attribute is used for matching).
Lastly, I am aware there are different ways to skin this cat (such as have IdM system in the middle that would synchronize users) - that is my plan B, however I am looking to explore all options here and therefore I am trying to understand if this can be done with only Keycloak/Azure AD.
Thank you!