Identity provider mapper will not sync email

I’m testing some stuff locally and can’t seem to make sense of why some of my mappers work and others don’t. I have an Identity Provider set up with three mappers, fistName, lastName, and email.

Screenshot 2024-06-04 at 12.50.48 PM1932×500 31.9 KB

Last name and first name import from the response from the identity provider but email does not.

Email setup:

Screenshot 2024-06-04 at 12.50.55 PM1170×856 40.3 KB

Versus one of the name setups:

Screenshot 2024-06-04 at 12.51.02 PM1212×866 43.5 KB

These attributes are included in the saml and I can’t see anything wrong:

Screenshot 2024-06-04 at 12.55.15 PM1126×966 133 KB

However after doing an sso sign in via the identity provider, the email will not update to the value shown in the saml. Am I missing something here? Is there some limitation I am unaware of?

Any help would be appreciated.

In “Realm settings” → Tab “Login” you can configure how KC handles the Email for Login. Have you tried “Email as username” and “Login with email” set to OFF? Maybe that settings have an influence on how Email Attribute is synced.
(In SAML standard, Email Attribute should normally be delivered as FriendlyName=“mail” and Name=“urn:oid:0.9.2342.19200300.100.1.3”)

I’m on Keycloak 19, I don’t see the “Email as Username” option, I assume that is added in a later version. Tried with “Login with email” option turned off, no luck.

Also tried with updating attributes on the client and identity provider mapper to match standards, but no change.

I debugged the code. I can see it trying to set the updated email. The mapper is finding the email in the attributes and the consumer is setting it in the user mapper code, but it never seems to actually persist.