How to create an enabled Active Directory user

127 views
Skip to first unread message

Francis Augusto Medeiros

unread,
Feb 3, 2023, 4:49:43 PM2/3/23
to Keycloak User

Hi,

I have implemented SAML as an Identify Provider, and Active Directory on User Federation.

My goal is this:

1 - A user authenticate via SAML
2 - The user is created automatically
3 - A random password is generated, so that the user is unlocked in Active Directory
4 - The user account in AD is unlocked.

What I accomplished so far:

By setting up userPassword and pwdLastSet mappers for the ldap provider, I manage to create an "enableble" account on the console. When I create a new user, it is by default disabled (probably because of the msad-user-account-control mapper), but clicking on "enable" does enable the account on AD. My goal was that the user would be enabled by the default, but it isn't.

But the situation is even worse when the user creation happens via the client:

When the user logs in via SAML, the user is indeed create in the AD, but neither the userPassword nor the  pwdLastSet have values, which means that the update password required option for the user in the console does not go away. I don't know why the ldap mappers do not work when this user comes from a SAML authentication.

But either way, what could I do to accomplish the above mentioned goals - that is - when a user logs in for the first time via SAML, I want it to be created in the AD and enabled right away.

It would be nice if the ldap provider could send a subsequent query to, for example, update the userAccountControl attribute.

Best,
Francis

Reply all
Reply to author
Forward
0 new messages