[keycloak-user] Mapping Azure Ad token_id groups to users roles

Thu Apr 6 03:20:34 EDT 2017

Hi Andrius,

To set groups into the token_id, you have to go into your azure portal.
Then in your app registration settings, edit the "manifest" file. And for
the parameter ""groupMembershipClaims":  set "SecurityGroup" or "All".

Doc microsoft :
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims

Br,

Adrien

2017-04-05 22:54 GMT+02:00 Andrius Karpavičius <
andrius.karpavicius at opencellsoft.com>:

> Hi,
>
> I have posted a question few weeks ago on similar topic - how to
> retrieve Azure AD groups and roles, but nobody has answered.
>
> So maybe you can tell me how you have your AD configured that you get
> groups info in the token.
>
> Thanks,
> Andrius
> >>>
>
> I have created OpenId identity provider with Azure Active directory and it
> works. What I am failing is to retrieve any group or role information from
> Azure, so I can assign corresponding roles in Keycloak.
>
> In their documentation, https://docs.microsoft.com/en-
> us/azure/active-directory/develop/active-directory-token-and-claims I see
> that if response_type is specified as "id_token" additional claims "roles"
> and "groups" should be returned.
>
> But Keycloak's redirect to authorization URL in Azure contains parameter
> response_type=code and there is no way to overwrite it.
>
> Azure AD's openId configuration https://login.microsoftonline.
> com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
> returns "response_types_supported":["code","id_token","code
> id_token","token id_token","token"] but in "claims_supported" don't mention
> "groups" nor "roles" claims.
>
> So question - is it possible to change response_type to include id_token,
> so groups or roles claims are retrieved and can be used in mapper to assign
> corresponding roles in Keycloak. If not - what is a suggested approach -
> store the token and retrieve them separately?
> Andrius Karpavičius
> tel.: +54 9 3546 482150,
> skype: andriuskarpavicius
>
>
>
> >
> >
> > Date: Wed, 5 Apr 2017 09:12:01 +0200
> > From: Adrien Voisin <adrien.voisin.be at gmail.com>
> > Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
> >          roles
> > To: keycloak-user at lists.jboss.org
> > Message-ID:
> >
> > Hi all,
> >
> >
> > I have the following configuration :
> >
> >
> > *My application :*
> >
> > Front : Angular 2
> >
> > Backend : Springboot rest api
> >
> >
> > *Auth:*
> >
> > Keycloak 3.0.0
> >
> > Windows Azure AD
> >
> >
> > The goal is to use Keyloack and Windows Azure for authentication and
> > permissions management of my web app.
> >
> > (I followed this tutorial :
> > http://slackspace.de/articles/authentication-with-spring-
> boot-angularjs-and-keycloak/
> > )
> >
> >
> > *Windows Azure AD* : I registered my webapp into Azure AD
> >
> > *Keycloak *: I added two clients (front & back) + an identity provider
> > (Azure).
> >
> >
> > The authentication part works well. (Each request is redirected to the
> > Microsoft auth, then a user in Keycloak is added (first login).
> >
> >
> > Now I would like to use information of the token of Azure (doc :
> > https://docs.microsoft.com/en-us/azure/active-directory/
> develop/active-directory-token-and-claims)
> > for permissions management.
> >
> >
> > A token from azure ad looks like below :
> >
> >
> > {
> >   typ: "JWT",
> >   alg: "RS256",
> >   x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
> > }.
> > {
> >   aud: "https://contoso.onmicrosoft.com/scratchservice",
> >   iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
> >   iat: 1416968588,
> >   nbf: 1416968588,
> >   exp: 1416972488,
> >   ver: "1.0",
> >   tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
> >   amr: [
> >    "pwd"
> >   ],
> >   roles: [
> >    "Admin"
> >   ],
> >   oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
> >   upn: "sample.user at contoso.onmicrosoft.com",
> >   unique_name: "sample.user at contoso.onmicrosoft.com",
> >   sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
> >   family_name: "User",
> >   given_name: "Sample",
> >   *groups: [
> >    "0e129f6b-6b0a-4944-982d-f776000632af",
> >    "323b13b3-1851-4b94-947f-9a4dacb595f4",
> >    "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
> >    "f3a161a7-9a58-4e8f-9d47-b70022a07424",
> >    "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
> >    "1bf80164-ff24-4866-b19c-6212e5b9a847",
> >    "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
> >    "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
> >   ],*
> >   appid: "b075ddef-0efa-123b-997b-de1337c29185",
> >   appidacr: "1",
> >   scp: "user_impersonation",
> >   acr: "1"
> > }.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user