Pull and add AD groups to SAML response from Azure Ad using graph API with KeyCloak as a identity broker

Hi everyone,

We are using a keycloak as an identity broker with AzureAD as Identity Provider and we got 200 application servers that are configured for sso using this configuration. i.e azure-AD as IDP and keycloak as a broker.

The Azure AD comes with a limitation, where it can pass only 150 groups in the response, but in our organization, some users are having more than 200 AD groups associated(yes!!!). The Applications rely heavily on AD groups for Access management.

The Azure AD team has recommended us to pull the AD groups list from Azure AD using Graph API in the keycloak and append them to the response before sending a response to the applications.

Is there any plugins or is it possible to extend the keycloak functionalities this way?
Is it possible to modify/customize the keycloak response to add and remove attributes?

I was able to configure the keycloak but the limitation is killing all my hard work, any inputs would help.


Hi, can you let me know if you were using SAML to communicate Azure AD with KeyCloak?

Yes, we using SAML. Azure SAML response has a limitation wrt # of group.

How exactly are you mapping Azure AD groups with KeyCloak groups.
I don’t see a ‘Claim to Group’ option.