I’m having some trouble mapping a user session attribute into the token, and I wanted to see if someone can see what I’m doing wrong.
I have a setup where there is one realm core
, and several realms that are identity providers (e.g. tenant-a
, tenant-b
, etc.) to core
. I would like to map the name of the IdP into the token issued by core
, so I can know which IdP was used to log in.
Here is the setup:
- Make an OIDC IdP in
core
calledtenant-a
. - In that IdP, add a Mapper called
IdP name mapper
.
a. Mapper Type isHardcoded User Session Attribute
b. User Session Attribute isidp
c. User Session Attribute Value istenant-a
- Make a Client Scope called
idp
- In that Client Scope, make a Mapper called
IdP name mapper
a. Mapper Type isUser Session Note
b. User Session Note isidp
c. Token Claim Name isidp
d. Claim JSON Type isString
- In the Client where I want the claim to be mapped, add
idp
as a Default Client Scope.
When I log in with that IdP for that client, the idp
claim is not in the token.
Couple of questions:
- Is there a different between User Session Attribute and User Session Note? I’m thinking that may be the problem.
- Is there another way to map the value I want into the token?
Thanks in advance for your help.