How does Keycloak get 'Identity Provider ID' or 'username' from Azure AD?

Configuring the server
1

Hi,
I’ve setup Keycloak as an identity broker with Azure AD.
Everything works fine, when I trigger the login to keycloak from my webapp, I get redirect to Azure AD, do the authentication and my sample app displays my ID_token and access_token.
Of course, I’m also automatically added as a user in Keycloak.
But that’s the thing - I would like to automate that step (pre-populate Keycloak from Azure AD) - but Keycloak uses a specific Identity provider ID and Identity provider username value to do the match, and I cannot figure out where it gets that value from. I can’t find it in Azure AD - I checked all attributes of the user. I don’t see it in my JWT from Azure AD. I don’t see it in the userinfo endpoint on the Azure ID openID endpoint

It looks like this:
Identity provider ID: bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM
Identity provider username: bpnsl00svbzofb97zhswi9ksit4bazgxl2lkk2oajcm

If I pre-populate the users table with an entry with these values and link it to the IdP with these values, the login works and it picks up this ID automatically.

But how do I get the Identity provider ID?

Any suggestions? (using Keycloak 11.0.2)

2 Likes
2

I enabled verbose logging and found the following in the keycloak logs:

e[0me[32m14:55:27,345 DEBUG [org.keycloak.social.user_profile_dump] (default task-9) User Profile JSON Data for provider oidc: {"sub":"bPnSL00SVbZoFB97zHSwi9ksiT4bAzGxL2LKk2oaJcM","name":"steve","picture":"https://graph.microsoft.com/v1.0/me/photo/$value"}

which is odd because when I query the userinfo endpoint I get

{
    "sub": "1CBzJUoVxGqU6-mXKLhOF58xR9-FfSBKqUB2Rl24g8c",
    "name": "steve",
    "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
}
3

@tvdvoorde were u able to get a solution for this?
I am also facing this issue, any help would be greatly appreciable.

4

The Azure AD subject is specific to the application registration. i.e. different applications integrated to Azure AD will get different values for sub on the same account. oid is suppose to be consistent but requires the profile scope.

I’m not sure how to map a different token property into Provider User ID or Provider Username for federated identities.

5

Did you ever find a solution to this issue? I believe we’re hitting the same problem. Any help would be greatly appreciated!

6

Hello. @tvdvoorde, do you have a solution for this ? We got the same issue and we are looking for a solutipn.

We develop a simple program which sync Users/Groups from Entra to Keycloak and we want to create the federation when creating users but we are stuck because of this “User ID” :frowning:

7

Its a long time ago, but I was able to do the match on email.
So you could pre-create the users in KeyCloak, and set the correct email (from the federated IdP), and then they would be matched when doing the first login. I don’t recall exactly how it was done. I believe there was documentation on it on the KeyCloak site.

8

From what I remember, it involved slight tweaking to the first login flow (all in the portal, nothing fancy)
https://www.keycloak.org/docs/latest/server_admin/#default-first-login-flow-authenticators

9

Ok thank you very much for your answer @tvdvoorde. I’ll check this :slight_smile:

10

If someone has the same problem. One other solution is to add mapper in the IDP configuration to use other value than the sub JWT claim as User ID.

I have configured it to use the oid claim (User object ID). It works well.

See azure active directory - Keycloak with AzureAD how to change the IDP user ID / IDP Links - Stack Overflow for more information :slight_smile: