Map IdP name into token

xgp · January 18, 2021, 6:03pm

I’m having some trouble mapping a user session attribute into the token, and I wanted to see if someone can see what I’m doing wrong.

I have a setup where there is one realm core, and several realms that are identity providers (e.g. tenant-a, tenant-b, etc.) to core. I would like to map the name of the IdP into the token issued by core, so I can know which IdP was used to log in.

Here is the setup:

Make an OIDC IdP in core called tenant-a.
In that IdP, add a Mapper called IdP name mapper.
a. Mapper Type is Hardcoded User Session Attribute
b. User Session Attribute is idp
c. User Session Attribute Value is tenant-a
Make a Client Scope called idp
In that Client Scope, make a Mapper called IdP name mapper
a. Mapper Type is User Session Note
b. User Session Note is idp
c. Token Claim Name is idp
d. Claim JSON Type is String
In the Client where I want the claim to be mapped, add idp as a Default Client Scope.

When I log in with that IdP for that client, the idp claim is not in the token.

Couple of questions:

Is there a different between User Session Attribute and User Session Note? I’m thinking that may be the problem.
Is there another way to map the value I want into the token?

Thanks in advance for your help.

Topic		Replies	Views
Attribute Importer Mapper Configuring the server oidc	1	1419	August 25, 2022
Identity Broker - Role mapping Getting advice identity-brokering , oidc	2	1614	March 15, 2024
Transfer claims from external IdP token to internal token Getting advice identity-brokering , oidc	4	895	May 6, 2022
Brokering identity without store personnal data Getting advice identity-brokering	7	767	June 30, 2021
How to use mapper type "key to role" in keycloak authentication , identity-brokering , oidc	0	360	January 21, 2021

Map IdP name into token

Related Topics