[keycloak-user] Azure AD - ImmutableID

Aaron Echols aechols at bfcsaz.com
Wed Apr 17 18:34:19 EDT 2019 

Ok, so I figured it out. Just wanted to leave the solution here in case
anyone else needs it. Looking through the source, I found that Keycloak
will convert objectGUID to base64 automatically on import from LDAP.

I created a new mapper in my User Federated LDAP with the following
settings:

Name:  saml.persistent.name.id.for.urn:federation:MicrosoftOnline
Mapper Type: user-attribute-ldap-mapper
User Model Attribute:
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
LDAP Attribute: objectGUID
Read Only: ON
Always Read Value from LDAP: ON
Is Mandatory in LDAP: OFF
Is Binary Attribute: OFF

All users now have the
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
attribute added to every account in Keycloak and users can login as
expected.
--
Aaron Echols

On Wed, Apr 17, 2019 at 11:49 AM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hello All,
>
> I've been working on getting SAML2 working with Azure AD Education. I've
> gotten it working using the article listed below, with the exception of the
> ImmutableID (When you attempt to login to Azure AD, Keycloak generates a
> random GUID to each user who attempts to login). I can convert get their
> ImmutableID and the users can login successfully:
>
>
> https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp#set-up-a-trust-between-your-saml-identity-provider-and-azure-ad
>
> So to set the tone here, I'm federating all my accounts from Server 2016
> AD with 2016 forest level. I'm trying to figure out how to get each
> users ImmutableID by converting the objectGUID to the ImmutableID and add
> the following attribute to every user which is populated with the
> ImmutableID:
>
> saml.persistent.name.id.for.urn:federation:MicrosoftOnline
>
> Azure AD's ImmutableID is based off of the objectGUID in the on-prem AD
> and not stored in the local AD from what I can tell. I have to use
> Get-MsolUser PoSH commandlet to get their ImmutableID.
>
> How do I convert the objectGUID by importing it into Keycloak, then
> converting it to the ImmutableID in Keycloak for all users? It sure would
> stink adding it by hand to every user...
>
> I'm able to convert the objectGUID locally using something like, but is
> useless in Keycloak:
>
> $userUPN = "user at domain.com"
> $guid = [guid]((Get-ADUser -LdapFilter
> "(userPrincipalName=$userUPN)").objectGuid)
> $immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())
>
> Thanks in advance for any assistance :)
> --
> Aaron Echols
>

More information about the keycloak-user mailing list