[keycloak-user] Azure AD - ImmutableID

Aaron Echols aechols at bfcsaz.com
Wed Apr 17 14:49:26 EDT 2019


Hello All,

I've been working on getting SAML2 working with Azure AD Education. I've
gotten it working using the article listed below, with the exception of the
ImmutableID (When you attempt to login to Azure AD, Keycloak generates a
random GUID to each user who attempts to login). I can convert get their
ImmutableID and the users can login successfully:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp#set-up-a-trust-between-your-saml-identity-provider-and-azure-ad

So to set the tone here, I'm federating all my accounts from Server 2016 AD
with 2016 forest level. I'm trying to figure out how to get each
users ImmutableID by converting the objectGUID to the ImmutableID and add
the following attribute to every user which is populated with the
ImmutableID:

saml.persistent.name.id.for.urn:federation:MicrosoftOnline

Azure AD's ImmutableID is based off of the objectGUID in the on-prem AD and
not stored in the local AD from what I can tell. I have to use Get-MsolUser
PoSH commandlet to get their ImmutableID.

How do I convert the objectGUID by importing it into Keycloak, then
converting it to the ImmutableID in Keycloak for all users? It sure would
stink adding it by hand to every user...

I'm able to convert the objectGUID locally using something like, but is
useless in Keycloak:

$userUPN = "user at domain.com"
$guid = [guid]((Get-ADUser -LdapFilter
"(userPrincipalName=$userUPN)").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())

Thanks in advance for any assistance :)
--
Aaron Echols


More information about the keycloak-user mailing list