My LDAP server has two user groups: students and staff. The student group uses ldap ‘cn’: firstname.lastname# and the staff; E12345. The student group use ldap ‘mail’: firstname.lastname#(at)domain1.com and the staff; firstname.lastname#(at)domain2.
My saml google workspace users are synced from ldap using the ldap ‘mail’ attribute but the domain is replaced with a google domain of firstname.lastname#(at)domain3.
My problem is that keycloak (once authenticated using the ldap cn as the username), works great for students as the cn matches their google NameID’s, but the staff groups’ cn does not match the google NameIDs resulting in a “invalid email” error once logged in to google.
The only solution I can think of is adding a custom attribute to keycloak that takes the local part of ldap ‘mail’ and uses that as the SAML NameID for google accounts. I have imported a .js user.setAttribute(“shortEmail”, user.getEmail().split(“@”)[0]); that transforms ‘mail’ from firstname.lastname#(at)domain to firstname.lastname# but this appears to only be available for OpenID Connect mappers, not SAML.
I do not own the ldap servers so can’t modify that, and the google nameid needs to have names not employee numbers for usernames.
Any help appreciated.