Groups claim not getting added

[dheeraj-326]

Version: 24.0.4

We are doing SSO login using Azure Entra ID and we want the groups claim to be mapped to the KC token from Azure's id token.

On Azure side we have it configured it like this, as their documentation instructs:

On Keycloak side, we have:

1. IDP mapper defined as follows

2. A client scope defined which has this mapper in it

3. Client scope added to our public client

But despite all this, KC token does not contain the groups claim. I believe I am missing some "magic configuration" which will finally make the claim appear. Any help us highly appreciated.

[danielFesenmeyer]

Your IDP mapper looks a bit suspicious. In Keycloak 23, there is an additional config value "User Attribute Name", which is either not shown in your screenshot or somehow does not exist in your setup. ("User Attribute Name" should be "groups" in your case.)

Btw, have you to tried to login at Entra ID directly and checked that groups are actually contained in the token? Furthermore, there is an issue in case of many groups in Entra ID: If a user has many groups, only a shortened claim is returned, with a link to all groups.

Maybe you also like to have a look at this discourse discussion, which provides some more insights on this topic: https://keycloak.discourse.group/t/groups-from-azure-ad/4876/7

[dheeraj-326]

I checked the answer you had linked to. On step 5, it talks about specifically about mapping a particular groupId to a Keycloak Role. This is not what we want. We want any groups present to be added as a claim in our token and that to be handled by our application logic as it sees fit. Do you think that can be done?

[danielFesenmeyer]

We have actually added all groups to the token with Keycloak 23, but with a custom identity provider implementation. Afaik, it was also possible with the default OIDC provider implementation, we just extended it to read all groups, in case there are too many for a user.
Sadly, I can't see what's different in your configuration.

What about your logs, do you get any warnings there?

[dheeraj-326]

Nothing unusual in the logs. We also would like to add groups automatically as there are too many. Is your custom implementation open source?

[danielFesenmeyer]

We have planned to contribute that to Keycloak, but haven't got the resources to do it yet.
You could join the discussion of this (rejected) PR (and the associated issue), were this topic is further discussed: #26193

[dheeraj-326]

It looks like you didn't add the links of the first PR.