On further research, I believe this is done using cookies.
I can see the below keycloak class setting cookies
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main...
Also, Microsoft has the below
https://docs.microsoft.com/en-us/windows/desktop/ad/polling-for-changes-u...
I am assuming for this to work, on the Microsoft Active Directory side, it
needs to support this concept. If they don't, won't it just do a full sync
rather than not sync?
On Wed, May 8, 2019 at 11:54 AM Travis De Silva <traviskds(a)gmail.com> wrote:
Hi
We have a user federation setup that connects to Microsoft Active
Directory (AD)
We are having an issue where when user attributes such as "memberof" or
extension attributes are updated, it does not update it in keycloak. We
have the synchronize changed users set to activate every half an hour.
How does Keycloak identify if the user has changed in AD? Are you using
the AD attribute "whenChanged" or is it some other attribute?
Appreciate any help.
Cheers
Travis