How to map user attributes to external IDP claims in a Keycloak instance
Im using the identity brokering feature to log user through Azure AD. Im stuck when Im trying to map user attributes via the Identity provider Attribute Importer. Im pretty sure that the claim exist in the access token of Azure AD. If I try the standard sub claim it works perfectly.. Does someone know some restrictions or limitations to which claims we can import from the external access token?
Example of the external access token:
"app_displayname": "*************",
"appid": "*************",
"appidacr": "1",
"family_name": "user",
"given_name": "user",
"idtyp": "user",
"ipaddr": "*************",
"name": "user-user",
"oid": "*************",
"sub": "*************",
"tenant_region_scope": "*************",
"tid": "*************",
"unique_name": "*************",
"upn": "*************",
"uti": "*************",
The reason is that the attributes you've reported are claims of the access token. The claims used by the Keycloak IDP mapper are retrieved from the ID Token.
I'm pretty sure that you had the claim "sub" in both (access token and ID token) but not the other ones, you were trying to use.
Adding the scope "openid profile email" into the advance configuration in the keycloak identity provider section, you can ask the identity provider to enrich the ID token with more attributes, for instance the oid.
Usually the identity providers specifies in their documentation which are the scopes required to obtain claims.
Regarding Microsoft Azure ID, for instance, you can find in this page that the required scope to have the claim oid in the ID Token is profile
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
- How can I close over variables in kdb/Q?
- When is the EACH operator extension necessary in K besides mod/rotate?
- Handling single-character strings - in a function or in its caller? ssr()
- Kdb+ data fomat when writing to a file
- How to convert a symbol to a string in kdb+?
- Sum of each two elements using vector functions
- A dictionary with a single value and multiple keys
- Table transformation, table as list of dicts
- Accumulator gives different result then direct function applying
- Reshape [cols;table]
- FK field over IPC
- Protected execution, 2 cases
- Enums for tables
- Converge (fixed point) syntax difference in q and k
- .Q.trp and bt handling
- NULLs in q and in k.h
- Strange view declaration behaviour
- How to build a parse-tree of projections?
- Could not evaluate manually created equial ~ parse tree
- Select distinct for all columns from keyed table
- Parallel execution: blocking receive, deferred synchronous
- Multiple variable assignment in q
- Select a table from the inside of external select
- Select when one of filter-column may not exists
- What is the meaning of `s attribute on a table?
- On parallel execution - which side reports about an error?
- Validate if a keyed table have unique keys
- Applying dictionary to dictionary
- About xkey implementation
- Parse tree built on values from vars