[keycloak-user] Second try: Using a different claim in the data from a Third Party IDP to associate the user with a Keycloak User..

Mon Mar 13 08:57:00 EDT 2017

Can anyone help please?   I really need to figure this out.   Thank you!

Right now I am working on getting Keycloak to be able to use Azure with Keycloak logging in.   The issue is that we are going to prepopulate the users in Keycloak by calling Azure to get a list of users using the Azure route here:

https://graph.microsoft.com/v1.0/myOrganization/users

We get an access and refresh token not using Keycloak, then call the above route.  It returns data like this:

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","@odata.nextLink":"https://graph.microsoft.com/v1.0/myOrganization/users?$skiptoken=X%<secret>","value":[{"id":"<ID1>","businessPhones":[],"displayName":"user081","givenName":null,"jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":null,"userPrincipalName":"nothing at carboniteinc.com<https://lists.jboss.org/mailman/listinfo/keycloak-user>"}

Continuing on and on.

The <ID1> is a guuid that identifies the user.

When I use Keycloak in debug mode this is in the log file:

{"amr":"[\"wia\"]","family_name":"someone","given_name":”first","ipaddr":"<IP>","name":"me","oid":"<ID1>”,"onprem_sid":"something else",
"platf":"5","sub":"A different value here","tid":"Another differen value","unique_name":"<secret>@carbonite.com","upn":"<secret>@carbonite.com","ver":"1.0"}

It is using the value in the “sub” claim to associate the user in Azure with the user in Keycloak.  Is there a way to change Keycloak in the config to use the OID instead since that matches what I get from the user listing?

Because the sub claim is not known when listing the users.

Thank you,

Reed Lewis
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.  
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone.  Instead, destroy it and notify me by reply e-mail.