Yes, by default Keycloak treats the ObjectGUID as UUID attribute of AD users. In other words, when you choose "Active Directory" vendor in admin console, you can see the name of UUID attribute is automatically filled to ObjectGUID. Keycloak takes care of converting from byte array to String and then it fills the serialized String as LDAP_ID attribute of user. Keycloak maps UUID attribute automatically to the LDAP_ID, there is no need to create any LDAP mapper for it.

So if you want to have it available in access token in your application, you can just create UserAttribute protocol mapper for the LDAP_ID attribute .

Marek

On 24.7.2015 04:14, Kenyatta Clark wrote:

I am trying to create a user federation mapper to map the object from Active Directory to an attribute in the JWT. I have successfully mapped other Active Directory attributes but I am unable to the ObjectGUID to map at all. I remembered that the ObjectGUID needs to be converted from a byte array to a string. Does Keycloak take care of that conversion? What is the best way to map the ObjectGUID?
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user