We have a convoluted setup:
One main keycloak server that provides the authentication for our web app (call this KC1)
A secondary keycloak server that acts as a SAML IDP (Call this KC2) and has Google as a login provider configured
KC1 has KC2 configured as a SAML provider.
Now here is whats happening:
- I open the app page, which goes to KC1 s login page
- I click the SAML entry button for KC2
- Page goes to KC2 s login page and I click on the "Google" button
- I get Google s account auth UI and login
- I get redirected back to my application page
Now for various reasons we maintain username/email in our backend SQL DB and we need to create a new entry when this SAML user logs in for the first time. With most SAML idps we have tried, the UserRepresentation for the current keycloak session has a recognizable persistent ID and we can easily map other SAML attributes like email, group etc.
With KC2 and google however, all I get is a username like G-6baaadeb-7c72-4ee8-ae64-e293359ec1bc
I tried adding an attribute mapper for the google idp - the help says:
Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. contact.address[0].country .
I tried name, email, id - nothing works. I can t find any information as to what the Profile JSON is supposed to look like
The KC2 server does end up creating the user entry with the right email address etc
In my keycloak user representation I get something like
"federatedIdentities": [
{
"identityProvider": "my_litte_idp",
"userId": "G-13b51145-5433-43df-9ae1-af2217e80101",
"userName": "g-13b51145-5433-43df-9ae1-af2217e80101"
}
How do I get KC2 to add either a userid or an email address to its SAML response to KC1?
Thanks in advance