Syncing group members from AAD

[Tristanden]

First thanks for this amazing job. I am currently trying to sync users & groups from Azure AD but the group membership link is not captured. It seems that your code expects a member type to be set by the SCIM client to know if this is a group membership or a user membership. As far as I can see, this member type is not set by AAD.

As it seems that your extension supports syncing from AAD to keycloak, would you know if this is a limitation of the code or if this requires a specific configuration on AAD side ?

Thanks a lot

[Captain-P-Goldfish]

I wouldn't know how to reliably fix this. The members-attribute of the "Groups"-resource is also in RFC7643 defined as an arbitrary attribute that might refer to groups or users. If the type is missing there is no reliable way to distinguish which resource should be linked. Unfortunately I got no idea how to handle this in Azure AD. But maybe a short look into the wiki might help. Another user provided a short manual for usage with Azure AD. Maybe this helps? https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Use-with-Microsoft-Azure-AD

[Tristanden]

Hi Pascal, thanks for your response. I am currently implementing a workaround for this. Instead of returning the raw internal id to the SCIM client, keycloak uses prefix "u-" or "g-" to encode the type of each object (user vs group) inside the id itself. This solves the issue of determining object types when sub-groups and users are mixed in group members attribute. Would you be interested to merge this in your code ? Do you see some potential issues with this approach ?

Thanks

[Captain-P-Goldfish]

Sorry had somehow forgotten about this issue... But as I mentioned in the other issue I cannot add this approach since I know at least one case where this would break things. Alternatively it is now possible to use the $ref-attribute. Unfortunately I am afraid I cannot give any more support in this case.