Map IdP name into token

I’m having some trouble mapping a user session attribute into the token, and I wanted to see if someone can see what I’m doing wrong.

I have a setup where there is one realm core, and several realms that are identity providers (e.g. tenant-a, tenant-b, etc.) to core. I would like to map the name of the IdP into the token issued by core, so I can know which IdP was used to log in.

Here is the setup:

  1. Make an OIDC IdP in core called tenant-a.
  2. In that IdP, add a Mapper called IdP name mapper.
    a. Mapper Type is Hardcoded User Session Attribute
    b. User Session Attribute is idp
    c. User Session Attribute Value is tenant-a
  3. Make a Client Scope called idp
  4. In that Client Scope, make a Mapper called IdP name mapper
    a. Mapper Type is User Session Note
    b. User Session Note is idp
    c. Token Claim Name is idp
    d. Claim JSON Type is String
  5. In the Client where I want the claim to be mapped, add idp as a Default Client Scope.

When I log in with that IdP for that client, the idp claim is not in the token.

Couple of questions:

  1. Is there a different between User Session Attribute and User Session Note? I’m thinking that may be the problem.
  2. Is there another way to map the value I want into the token?

Thanks in advance for your help.