I am currently trying to configure Wazuh for Single Sign-On using Keycloak with SAML. I am encountering the following problem:
The users in Active Directory have an alternative UPN suffix (e.g., @test.de) which is stored in the LDAP attribute userPrincipalName.
However, when I review the Keycloak logs with debug enabled, I see that the primary suffix is being used instead of the alternative UPN suffix:
2025-09-13 09:45:54,626 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (executor-thread-15) Not found LDAP user with kerberos principal [michi@TEST.local]. Kerberos principal attribute is [userPrincipalName].
Question:
Has anyone experience or tips on how to configure Keycloak and Wazuh so that the alternative UPN suffix is actually used during the SSO login to Wazuh?
Is this issue related to Wazuh or is it a Keycloak configuration problem that the alternative UPN suffix is not applied?
I encountered the same problem, when the user’s UPN-suffix differs from the default kerberos principal. Described a simple way to solve the problem.
In the LDAP federation settings, set:
Username LDAP attribute: sAMAccountName
Allow Kerberos authentication: yes
Server principal: HTTP/keycloak.mycompany.org@DOMAIN.LOCAL
Key tab: path to the keytab file
Kerberos principal attribute: leave blank
The principle is that, if the Kerberos principal attribute is missing, keycloak searches for the user by the first part of the Kerberos principal user@DOMAIN.LOCAL from the Kerberos ticket, which matches the sAMAccountName value.
This is a fairly simple method. In my case, I couldn’t use sAMAccountName for the Username LDAP attribute. I needed to use userPrincipalName.
And this is a problem - I had to change the logic of Keycloak and recompile the KerberosPrincipalAttributeMapper and LDAPStorageProvider classes.
If needed, I can share my fixes. I’d also like to bring this issue to the developers’ attention.