Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?

Question

Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?

Meier Linus 20

Hello,

I'm currently using Azure AD as my identity provider and Keycloak as my intermediary/broker for my client applications. However, I need some user attributes (such as phone, email, picture, and officeLocation) that aren't provisioned from Azure to Keycloak by default.

I'm considering two options: fetching the additional data directly from the Graph API (which would require adding another system component and losing Keycloak autonomy), or adding the required claims to the access token and mapping them into the Keycloak database.

My question is, what's the best approach for accomplishing this? Is it possible to add custom claims to the access token and map them into the Keycloak database? Or is there a better way to get the additional user attributes from Azure AD?

Any advice or suggestions would be greatly appreciated. Thank you!

Accepted answer

1 additional answer

Your answer

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello, the following claims are available from Azure AD:

phone: several options (facsimiletelephonenumber, mobilephone, telephonenumber) available using Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview).
email: This value is included by default if the user is a guest in the tenant. For managed users (the users inside the tenant), it must be requested through this optional claim or, on v2.0 only, with the OpenID scope.
picture: payload is not available as a claim mostly due size constraints or concerns. This will require an additional system as you already find out. You can obtain the specific MS Graph image endpoint (picture attribute, intended to be accessed only by the authenticated user) querying the OIDC UserInfo endpoint.
officeLocation: this claim is available using Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview).

Regarding Keycloack configuration, take a look to OIDC token and SAML assertion mappings.

Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

Meier Linus 20 Reputation points

2023-03-15T09:11:01.55+00:00

Thank you for your answer. I tried to look into Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview) but I noticed that in my Azure portal under Enterprise Applications > Single sign-on the Attribute & Claims card is missing.

Is there an additional step or a precondition that causes the missing Attribute & Claims option?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-03-15T16:03:56.2366667+00:00

Please attach a screenshot of what you see.
Meier Linus 20 Reputation points

2023-03-16T09:25:56.56+00:00
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-03-16T13:34:19.8166667+00:00

Hello. Please ensure the user attempting to configure the enterprise application is one of its owners or is has the application administrator role assigned.
Meier Linus 20 Reputation points

2023-03-16T18:34:43.85+00:00

that is confirmed. the user that is logged in is the owner of the application. However, the application was originally created not as enterprise application but as a 'normal' Azure AD application. Could this be the issue? Thanks for your onoing help.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-03-16T23:22:46.0766667+00:00

An Azure AD app registration refers to an application object. An Azure AD enterprise application referes to a service principal object. Althought related, both are different objects with different owners. Ensure the user is owner of the former. All "normal" Azure AD applications should have an enterprise application that backs them up (for AuthN and AuthZ purposes) so that's not the issue. If the owner has been set in the enterprise application and the issue persist, try creating a new Azure AD app registration.
Meier Linus 20 Reputation points

2023-03-17T08:34:06.2133333+00:00

thank you. Although I was owner in the registered app, I was not the owner of the enterprise application. Getting added as owner there resolved the problem of missing the Attribute&Claims Card. Thank you very much!
Meier Linus 20 Reputation points

2023-03-17T08:43:47.62+00:00

Sorry, one more thing: I dont know why the button "add new claim" is disabled?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-03-17T13:15:26.86+00:00

Apologies for that. Optional and group policies are available for owners, but not add new claims. You need a user with an admin role such as Cloud Application Administrator or a custom one with microsoft.directory/applicationPolicies/* permissions. We will update our documentation to reflect those conditions.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-03-20T07:38:29.0533333+00:00

@Meier Linus Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Meier Linus 20 Reputation points

2023-03-20T08:16:03.2866667+00:00

Thanks for checking back in. Not entirely, the problem still prevails.

Is there a way around using a global admin (that is not possible for me unfortunately). Can admin consent on the registered app or a lower tier admin-role also have the desired effect of allowing my user to create a new claim?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-03-21T13:49:24+00:00

Hello, apologies for my latets comment. You can add claims using lesser admin roles such Cloud Application Administrator. I've updated the former. Let me know if you need something else.
Bony 0 Reputation points

2024-05-28T15:06:51.34+00:00

I have the same problem with adding attributes to the keycloak access token. On my side, I have added new attributes such as job title, department... but I don't see them in the keycloak access token after user authentication.
Please can someone help me

Answer 2

JimmySalian-2011 42,496

Hi meier,

I will suggest you to check this additional claims article and whether it fits your requirements, https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims. Also do you have tie up with Keycloak as a support? I wil suggest you raise a support case with Keycloak to understand if any other clients has implemented this requirement.

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Meier Linus 20 Reputation points

2023-03-14T12:09:55.9966667+00:00

Thank you for your response. I appreciate your efforts in trying to help me. However, the article you suggested did not provide me with the necessary information I need. I require specific claims that were not mentioned in the article's additional claims list, so I'm still unsure whether it's possible to add them freely or if I'm restricted to the claims listed in that article.

Furthermore, my question is largely related to Azure AD, and Keycloak can in principle be replaced with any other identity broker. Therefore, I believe this community is the appropriate place to ask this question.

Share via

Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?

1 additional answer

Your answer