In my use case I have configured microsoft as an identity provider (through oidc).
What I am missing is that upon login, I would like assigned groups coming from Microsoft to be created within Keycloak. Group creation should respect original hierarchy.
I thought it was a quite common scenario but I can’t find any resource or thread about it.
Can someone point me to the right direction?
Thanks,
Carlo
When working with external IdPs, you can only map information provided in the IdP’s token to attributes/groups/roles in Keycloak. There’s no “sync” option like with user federation providers. OIDC does not know “groups” as an entity, it’s just a claim in the token. So you have to take care on mapping values from A (external) to B (Keycloak).
