[keycloak-user] Mapping provider user ID to user attribute

Simon Payne simonpayne58 at gmail.com
Thu Oct 26 08:57:20 EDT 2017 

I ran your example and was able to add sub as an attribute on the user this
way

1 - make sure you have the userinfo endpoint configured on identity provider
2 - and an attribute importer configured on your identity provider.  my
mapper linked claim= sub to user attribute name = sub.

I deleted the user several times to test so not 100% sure that it isnt
linked to first broker login - but you should get some results.

I don't know whether you've tried this already, but if you add the
following to your standalone.xml it will log the user profile json to the
server.log.  This is useful for debugging mappers etc.

 <logger category="org.keycloak.social.user_profile_dump">
                <level name="DEBUG"/>
 </logger>


Simon.




On Thu, Oct 26, 2017 at 12:31 PM, Ruh, Garret <garret.ruh at optum.com> wrote:

> It’s that first step (mapping the provider user ID to an attribute) we’re
> having trouble with. We’ve successfully got a mapper set up to put the
> attribute into the access token.
>
> On 10/25/17, 10:05 AM, "keycloak-user-bounces at lists.jboss.org on behalf
> of Simon Payne" <keycloak-user-bounces at lists.jboss.org on behalf of
> simonpayne58 at gmail.com> wrote:
>
>     Hi, i've been looking at similar recently.  It is possible.
>
>     if you have achieved to the point where you can see the value from the
>     identity provider token as an attribute in the broker user, then the
> last
>     step is to add a mapper on the client to add this attribute as a claim.
>
>     Regards,
>
>     Simon.
>
>
>
>     On Wed, Oct 25, 2017 at 1:19 PM, Ruh, Garret <garret.ruh at optum.com>
> wrote:
>
>     > Following up here, we’re still running into this issue. Without the
>     > ability to map IDP identifiers to user attributes (and then inject
> that
>     > attribute into the access token), migrating from single-IDP auth to
>     > Keycloak-brokered auth becomes fairly difficult, as existing data
> stores
>     > still use the original IDP’s identifier.
>     >
>     > Any thoughts or pointers to relevant documentation are much
> appreciated.
>     >
>     >
>     > Garret Ruh
>     >
>     > On 10/17/17, 6:25 PM, "keycloak-user-bounces at lists.jboss.org on
> behalf of
>     > Ruh, Garret" <keycloak-user-bounces at lists.jboss.org on behalf of
>     > garret.ruh at optum.com> wrote:
>     >
>     >     Context: Using Keycloak as an OpenID Connect identity broker, and
>     > onboarding an IDP.
>     >
>     >     Is it possible to map a provider user ID (from an OpenID Connect
>     > identity provider – so the value in the sub claim) to a user
> attribute?
>     > Have attempted using an "Attribute Importer" mapper w/ claim "sub"
> to no
>     > avail. End goal is to include that attribute (if it exists) in
> generated
>     > access tokens so that applications can still reference the provider
> user ID
>     > during a transitional period.
>     >
>     >     Seems like it’d be a pretty common use case, so apologies if
> this has
>     > been asked and answered before. Could be missing the applicable
> search
>     > term(s).
>     >
>     >
>     >     Regards,
>     >     Garret Ruh
>     >
>     >     This e-mail, including attachments, may include confidential
> and/or
>     >     proprietary information, and may be used only by the person or
> entity
>     >     to which it is addressed. If the reader of this e-mail is not the
>     > intended
>     >     recipient or his or her authorized agent, the reader is hereby
> notified
>     >     that any dissemination, distribution or copying of this e-mail is
>     >     prohibited. If you have received this e-mail in error, please
> notify
>     > the
>     >     sender by replying to this message and delete this e-mail
> immediately.
>     >     _______________________________________________
>     >     keycloak-user mailing list
>     >     keycloak-user at lists.jboss.org
>     >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>     >
>     > This e-mail, including attachments, may include confidential and/or
>     > proprietary information, and may be used only by the person or entity
>     > to which it is addressed. If the reader of this e-mail is not the
> intended
>     > recipient or his or her authorized agent, the reader is hereby
> notified
>     > that any dissemination, distribution or copying of this e-mail is
>     > prohibited. If you have received this e-mail in error, please notify
> the
>     > sender by replying to this message and delete this e-mail
> immediately.
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list