Should and could I use LDAP to help with the mapping of memberOf when really using SAML for SSO?

I’m very new to this. My organization have a SSO using using PingIdentity which I’m able to call via Identity Provider. So I’m calling it and get a lot of attributes, one of them is a list of memberOf, so a list of group in this kind of format: “CN=CUCM Jabber Users QB,OU=Distribution List,DC=resource,DC=ds,DC=microsoft,DC=com”

Right now, the only way I know how to digest this is to create a Role, then do a regex to match the string it in the Identity Provider Mapper. So the user end-up having that role if the value shows up in the memberOf.

The list of potential group is pretty large and I’m lazy. It seems Keyclock is not really populating role or group with that info. But I believe it does something with this kind of info when using LDAP via User Federation. So what’s the recommended approach. Should I use both LDAP and Identity Provider, and can I really do this?

Maybe the workflow is to connect LDAP, populate all the group, then only use only Identity Provider?

Hey, did you figure out how to map the attributes from LDAP users into users from an external identity provider?

I have a similar problem where I support logins from users from multiple Microsoft domains (using ADFS OIDC Identity provider). My problem is that my OIDC relaying party does not pass all the fields stored about the user in the Active Directory.

What I want to do is sync all of the users from my Active Directory Domain using LDAP, and then every time a new user logs in using OIDC Identity Provider the properties of his LDAP user will be added to the OIDC Identity Provider user.

  • The LDAP connection will not be used to authenticate users, only to gather their information