How to map LDAP group IDs to token claim

23 views
Skip to first unread message

zam...@gmail.com

unread,
Jan 30, 2026, 11:58:17 AM (2 days ago) Jan 30
to Keycloak User
Hello

We use User Federation for LDAP (MS Active Directory) and would like to expose group identifier (in addition to group names) in the token.

The reason for wanting to expose group IDs is so that application can be aware of group renames.

Ultimately I wanted have a groups (or some other) claim that would be an array of "group_id-group_name" entries but that seems to require custom mapper...

I was able to expose IDs but in a separate claim using following approach
  1. use LDAP mapper of type group-ldap-mapper and then specify: "Mapped Group Attributes" = "objectGUID"  (this is unique identifier in Active Directory)
  2. at the client level, use User Attribute mapper to expose multivalued claim to get "objectGUID" in the token as array
This causes the token to have something like
"groups": [ "groupA", "groupB"],
"group_ids": [ "kKefGHS5OEaLYAEwfAOsSA==", "lTefEBS5OEaLGGGwfAOsSA=="]

The issues with this approach:
  1. the names and ids are in separate arrays, and I can't tell if they are always "aligned" (each group name at index X has group id in other array at the same index X)
  2. the group IDs being represented are not the same as the octet string values in Active Directory - Keycloak seem to have encoded them somehow but these values do not appear Base64 encoded...

Other than custom token mapper, is there any other way to achieve this?

Thanks
Z



Reply all
Reply to author
Forward
0 new messages