OIDC field Sub in ID Token does not match Sub in UserInfo on RH-SSO with Active Directory User Federation

Solution Unverified - Updated -


  • The "sub" in the token doesn't match the value in in the userinfo result.
  • Map ObjectGUID to sub


  • Red Hat Single Sign-On (RH-SSO) 7.3
  • Microsoft Active Directory Lightweight Directory Service (AD LDS)
  • "sub" overridden via client mapper
  • OpenID Connect Authentication
  • Accessing /auth/realms/{realm}/protocol/openid-connect/userinfo

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In