Keycloak integrate Azure Active Directory mapper

Hi,

I have integrated Keycloak and Azure Active Directory (Now is Microsoft Entra Id) successfully follow guideline from https://www.youtube.com/watch?v=LYF-NLHD2uQ .

After login successfully, it requires to update information where we expect no need update information. And we check that the mapping is not as expectation. Below is current and expectation mapping between keycloak and azure:

1. Email:

• Current: Email (keycloak) maps with Email (Azure)
• Expectation: Email (keycloak) maps with User principal name (Azure)

2. First name:

• Current: First name (keycloak) maps with part of Display name (Azure)
• Expectation: First name (keycloak) maps with First name (Azure)

3. Last name:

• Current: Last name (keycloak) maps with part of Display name (Azure)
• Expectation: Last name (keycloak) maps with Last name (Azure)

Any suggestion or guideline to resolve this point would be very much appreciated!
Thanks!

Try to request the „profile“ and „email“ scopes explicitly. This is a setting in the idp config.

@dasniko yes, thanks for the feedback. I already added in Scopes openid profile email then it maps in current situation

image1060×72 2.96 KB

You can use automatic account link.

This involve creating a new flow for the broker first login.

Ah, ok, I didn’t read your post carefully enough (as I’m currently at

Seems that the token/userinfo from Azure ist somehow strange configured. In my default examples, everything did work properly ootb.

Thanks @appsec_hero and @dasniko for the feedback (even @dasniko is busy in Conference ).

For the link @appsec_hero provided then it creates a new flow for first login. Currently I would prefer to update the mapping and see how it works.

Follow using mapping attribute importer, it works for me.

• In azure: add optional claim
  

  

  image1913×581 41.9 KB

• In keycloak: add mapping
  

  

  image1228×721 26.9 KB

Thanks!