Alternative UPN suffix SSO

michi · September 13, 2025, 8:15am

Hello community,

I am currently trying to configure Wazuh for Single Sign-On using Keycloak with SAML. I am encountering the following problem:

The users in Active Directory have an alternative UPN suffix (e.g., @test.de) which is stored in the LDAP attribute userPrincipalName.

However, when I review the Keycloak logs with debug enabled, I see that the primary suffix is being used instead of the alternative UPN suffix:

2025-09-13 09:45:54,626 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (executor-thread-15) Not found LDAP user with kerberos principal [michi@TEST.local]. Kerberos principal attribute is [userPrincipalName].

Question:
Has anyone experience or tips on how to configure Keycloak and Wazuh so that the alternative UPN suffix is actually used during the SSO login to Wazuh?
Is this issue related to Wazuh or is it a Keycloak configuration problem that the alternative UPN suffix is not applied?

Thank you very much for your help!

Michi

Topic		Replies	Views
Active Directory federation Configuring the server authentication , ldap	3	202	July 25, 2024
Multidomain authorization and SSO via keycloak with kerberos Getting advice	1	556	May 16, 2024
Keycloak to simulate ADFS SAML IdP Securing applications saml	0	956	June 10, 2021
Multiple User Federation - different UPN Configuring the server authentication , user-federation , saml	0	1007	June 16, 2022
Where does the Idp "Provider User ID" come from? Getting advice	0	348	November 14, 2022

Alternative UPN suffix SSO

Related topics