I have Keycloak integrated with AzureAD as IdP via OIDC. When I login via AzureAD the ID used by Keycloak as unique ID from Azure (to uniquely identify ua AzureAD account) is the claim sub, which seems to be the standard for AzureAD.
The problem with the claim sub is that it is "generated on the fly" and it changes across the different applications in Azure and is not available anywhere in AzureAD. I have no way to know, in advance, what the unique ID will be for each of the users.
Upon their first login , their account is automatically created and the Identity Provider link is this **sub **value
This is not the value I want to use This is not the value I want to use
What do I need to do to force Keycloak to use the value of the field oid instead. oid is the unique User ID in AzureAD. This is a more reliable ID for me - and more importantly I can automate the provisioning of the account without having them to login once.
I have created mapping to force the value of the oid into the sub attribute. This is the value I want to use This is not the value I want to use
It seems to work within Keycloak, as I can the the parameter sub now has the value of he oid but is is too late, the account has already been created with the sub value as unique identifier for the IDP
I have tried to play with the mappers to force the value of oid into the sub, but it seems to be too late in the workflow. I have added "openid profile" in the scope to be sure to receive the oid claim. I know it is available as I can see it in the attribute I have mapped.
So my question is : is there a way in keycloak to change the value it used from the JWT as the Provider User ID
There is indeed a way to force Keycloak to use another field as the Provider User ID.
Word of warning You want to make sure that the value you are using is truly unique otherwise you open the risks of mixing account
Go to identity provider, select your IdP, and Select Mappers
You need to create a new mapping:
Name : whatever name you want to put to the Mapping Sync Mode Ovverride : inherits or force should work Mapper Type : Username Template Importer Template : ${CLAIM.oid} --> this is specifically for my case to use OID but can be replaced with any claim that is unique Target : BROKER_ID
see image: The configuration of the mapper
This mapper can be used to force the BROKER_NAME, or the local username in Keycloak.
My accounts are created directly with the OID as Provider User ID OID used as Broker ID
