Ok, so I figured it out. Just wanted to leave the solution here in case
anyone else needs it. Looking through the source, I found that Keycloak
will convert objectGUID to base64 automatically on import from LDAP.
I created a new mapper in my User Federated LDAP with the following
settings:
Name: saml.persistent.name.id.for.urn:federation:MicrosoftOnline
Mapper Type: user-attribute-ldap-mapper
User Model Attribute:
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
LDAP Attribute: objectGUID
Read Only: ON
Always Read Value from LDAP: ON
Is Mandatory in LDAP: OFF
Is Binary Attribute: OFF
All users now have the
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
attribute added to every account in Keycloak and users can login as
expected.
--
Aaron Echols
On Wed, Apr 17, 2019 at 11:49 AM Aaron Echols <aechols(a)bfcsaz.com> wrote:
Hello All,
I've been working on getting SAML2 working with Azure AD Education. I've
gotten it working using the article listed below, with the exception of the
ImmutableID (When you attempt to login to Azure AD, Keycloak generates a
random GUID to each user who attempts to login). I can convert get their
ImmutableID and the users can login successfully:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-con...
So to set the tone here, I'm federating all my accounts from Server 2016
AD with 2016 forest level. I'm trying to figure out how to get each
users ImmutableID by converting the objectGUID to the ImmutableID and add
the following attribute to every user which is populated with the
ImmutableID:
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
Azure AD's ImmutableID is based off of the objectGUID in the on-prem AD
and not stored in the local AD from what I can tell. I have to use
Get-MsolUser PoSH commandlet to get their ImmutableID.
How do I convert the objectGUID by importing it into Keycloak, then
converting it to the ImmutableID in Keycloak for all users? It sure would
stink adding it by hand to every user...
I'm able to convert the objectGUID locally using something like, but is
useless in Keycloak:
$userUPN = "user(a)domain.com"
$guid = [guid]((Get-ADUser -LdapFilter
"(userPrincipalName=$userUPN)").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())
Thanks in advance for any assistance :)
--
Aaron Echols