Menu
Im using the identity brokering feature to log user through Azure AD. Im stuck when Im trying to map user attributes via the Identity provider Attribute Importer. Im pretty sure that the claim exist in the access token of Azure AD. If I try the standard sub claim it works perfectly.. Does someone know some restrictions or limitations to which claims we can import from the external access token?
Example of the external access token:
"app_displayname": "*************",
"appid": "*************",
"appidacr": "1",
"family_name": "user",
"given_name": "user",
"idtyp": "user",
"ipaddr": "*************",
"name": "user-user",
"oid": "*************",
"sub": "*************",
"tenant_region_scope": "*************",
"tid": "*************",
"unique_name": "*************",
"upn": "*************",
"uti": "*************",
864
asked Oct 29 '25 01:10
The reason is that the attributes you've reported are claims of the access token. The claims used by the Keycloak IDP mapper are retrieved from the ID Token.
I'm pretty sure that you had the claim "sub" in both (access token and ID token) but not the other ones, you were trying to use.
Adding the scope "openid profile email" into the advance configuration in the keycloak identity provider section, you can ask the identity provider to enrich the ID token with more attributes, for instance the oid.
Usually the identity providers specifies in their documentation which are the scopes required to obtain claims.
Regarding Microsoft Azure ID, for instance, you can find in this page that the required scope to have the claim oid in the ID Token is profile
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
