Hi everyone,
I’m working on a reconciliation script in OpenIAM to pull user data from Active Directory. Specifically, I want to retrieve the objectGUID of each user and store it in OpenIAM.
My goal is to convert the objectGUID to a Base64-encoded string and use it as the onPremisesImmutableId in Microsoft Entra. This is required for enabling SSO via Entra, where the GUID serves as a unique, immutable identifier for federated users.
Are there any best practices for ensuring the GUID remains consistent across syncs and is usable by Entra for SSO?
The AD Connector sync operation returns the objectGUID as a string (e.g., aaf42350-eb80-469f-b2a3-ae1544448466). It’s generally stored as a string. If you want to store this attribute in OpenIAM in Base64 format, you’ll need to modify the transformation script to convert the string to the Base64 representation of the objectGUID attribute.
Can you provide a sample script and outline the steps required to retrieve the objectGUID from Active Directory, convert it to a Base64-encoded string, and store it in OpenIAM for use as the onPremisesImmutableId in Microsoft Entra? Also, are there best practices to ensure the GUID remains consistent across syncs and is reliably used for SSO?