[keycloak-user] Mapping provider user ID to user attribute

Ruh, Garret garret.ruh at optum.com
Wed Oct 25 08:19:03 EDT 2017 

Following up here, we’re still running into this issue. Without the ability to map IDP identifiers to user attributes (and then inject that attribute into the access token), migrating from single-IDP auth to Keycloak-brokered auth becomes fairly difficult, as existing data stores still use the original IDP’s identifier.

Any thoughts or pointers to relevant documentation are much appreciated.


Garret Ruh

On 10/17/17, 6:25 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Ruh, Garret" <keycloak-user-bounces at lists.jboss.org on behalf of garret.ruh at optum.com> wrote:

    Context: Using Keycloak as an OpenID Connect identity broker, and onboarding an IDP.
    
    Is it possible to map a provider user ID (from an OpenID Connect identity provider – so the value in the sub claim) to a user attribute? Have attempted using an "Attribute Importer" mapper w/ claim "sub" to no avail. End goal is to include that attribute (if it exists) in generated access tokens so that applications can still reference the provider user ID during a transitional period.
    
    Seems like it’d be a pretty common use case, so apologies if this has been asked and answered before. Could be missing the applicable search term(s).
    
    
    Regards,
    Garret Ruh
    
    This e-mail, including attachments, may include confidential and/or
    proprietary information, and may be used only by the person or entity
    to which it is addressed. If the reader of this e-mail is not the intended
    recipient or his or her authorized agent, the reader is hereby notified
    that any dissemination, distribution or copying of this e-mail is
    prohibited. If you have received this e-mail in error, please notify the
    sender by replying to this message and delete this e-mail immediately.
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user


This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.

More information about the keycloak-user mailing list