6:31 a.m.
It’s that first step (mapping the provider user ID to an attribute) we’re having trouble
with. We’ve successfully got a mapper set up to put the attribute into the access token.
On 10/25/17, 10:05 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Simon
Payne" <keycloak-user-bounces(a)lists.jboss.org on behalf of
simonpayne58(a)gmail.com> wrote:
Hi, i've been looking at similar recently. It is possible.
if you have achieved to the point where you can see the value from the
identity provider token as an attribute in the broker user, then the last
step is to add a mapper on the client to add this attribute as a claim.
Regards,
Simon.
On Wed, Oct 25, 2017 at 1:19 PM, Ruh, Garret <garret.ruh(a)optum.com> wrote:
Following up here, we’re still running into this issue. Without the
ability to map IDP identifiers to user attributes (and then inject that
attribute into the access token), migrating from single-IDP auth to
Keycloak-brokered auth becomes fairly difficult, as existing data stores
still use the original IDP’s identifier.
Any thoughts or pointers to relevant documentation are much appreciated.
Garret Ruh
On 10/17/17, 6:25 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of
Ruh, Garret" <keycloak-user-bounces(a)lists.jboss.org on behalf of
garret.ruh(a)optum.com> wrote:
Context: Using Keycloak as an OpenID Connect identity broker, and
onboarding an IDP.
Is it possible to map a provider user ID (from an OpenID Connect
identity provider – so the value in the sub claim) to a user attribute?
Have attempted using an "Attribute Importer" mapper w/ claim "sub" to
no
avail. End goal is to include that attribute (if it exists) in generated
access tokens so that applications can still reference the provider user ID
during a transitional period.
Seems like it’d be a pretty common use case, so apologies if this has
been asked and answered before. Could be missing the applicable search
term(s).
Regards,
Garret Ruh
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the
intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify
the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.