SAML client mapper for binary objectsid from MS-AD? #16300
Replies: 2 comments 3 replies
-
|
Hi there, I'm stuck with the same problem. Did you find a solution? |
Beta Was this translation helpful? Give feedback.
-
|
You should decode objectSID to SID https://github.com/bwmarrin/go-objectsid |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the link! Not sure though, how I can combine that with keycloak. |
Beta Was this translation helpful? Give feedback.
-
|
You should be able to implement the algorithm using a JavaScript mapper that decodes the information and repackages it for you (not sure whether an implementation exists, you might have to write it yourself). |
Beta Was this translation helpful? Give feedback.
-
|
@guy-davis-hal @docholiday check this out: https://github.com/CarrettiPro/keycloak-msad-objectsid-mapper Didn't have a chance to test it with a real AD yet (emulated a binary attribute in OpenLDAP), so I would appreciate any feedback. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi all.
I am trying to configure Keycloak as an IdP to AWS Appstream, which requires the objectsid from our MS-AD federation be passed thru as a SAML attribute. When I create an LDAP Mapper for the binary objectsid, then a SAML client mapper, the attribute in the SAML response looks like: "AQUAAAAAAAUVAAAAizkQjca2XXmiFM9F3gUAAA==", however looking at the objectsid of the user in MS-AD, I see for example: "S-1-5-21-992878714-4041223874-2616370337-1001". AWS is saying they require the "S-1-5..." format in the SAML response from Keycloak.
Is there anyway to configure Keycloak to pass thru the "S-1-5-..." formatted form? I did find someone else with this question, but wasn't able to find an answer. Any tips on how to make this configuration?
Thanks much,
Guy
Beta Was this translation helpful? Give feedback.
All reactions