Pull and add AD groups to SAML response from Azure Ad using graph API with KeyCloak as a identity broker

Nav · July 23, 2020, 8:10am

Hi everyone,

We are using a keycloak as an identity broker with AzureAD as Identity Provider and we got 200 application servers that are configured for sso using this configuration. i.e azure-AD as IDP and keycloak as a broker.

The Azure AD comes with a limitation, where it can pass only 150 groups in the response, but in our organization, some users are having more than 200 AD groups associated(yes!!!). The Applications rely heavily on AD groups for Access management.

The Azure AD team has recommended us to pull the AD groups list from Azure AD using Graph API in the keycloak and append them to the response before sending a response to the applications.

Is there any plugins or is it possible to extend the keycloak functionalities this way?
Is it possible to modify/customize the keycloak response to add and remove attributes?

I was able to configure the keycloak but the limitation is killing all my hard work, any inputs would help.

thanks
Nav

shrivastavshubham34 · October 15, 2020, 10:40pm

Hi, can you let me know if you were using SAML to communicate Azure AD with KeyCloak?

Nav · October 21, 2020, 3:25pm

Yes, we using SAML. Azure SAML response has a limitation wrt # of group.

shrivastavshubham34 · October 21, 2020, 4:11pm

How exactly are you mapping Azure AD groups with KeyCloak groups.
I don’t see a ‘Claim to Group’ option.

Topic		Replies	Views
Import groups from Azure AD (SAML) Configuring the server identity-brokering , saml	1	725	February 24, 2022
SAML & Azure AD	0	483	December 2, 2020
Get groups claim from azure Configuring the server saml	1	327	May 10, 2023
Using Keycloak as IdP for Azure AD Securing applications identity-brokering	26	14711	April 12, 2024
LDAP AD group permissions authentication	3	1652	March 11, 2021

Pull and add AD groups to SAML response from Azure Ad using graph API with KeyCloak as a identity broker

Related Topics