I spent the whole day trying to achieve this and it went nowhere, so requesting for some guidance here.
I have an Identity Provider set up in Keycloak (not as a Client, but the other way around, really as an identity provider) and I can use it to log and add users in keycloak. But by default, only the email address is imported. I thought it would automatically grab more attributes, but seems not.
I went into the idprov mappers and tried adding default ones with pretty much any possible combination:
givenName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, sn, user.givenName, surname, etc.
I tried them all in all name format possible (Basic, URI, Unspecified).
I always mapped them to “firstName” and “lastName” in the keycloak attributes.
I made sure the sync type was “forced” both in the mapper and the idprov options. I deleted the user and the browser cache before every tries. None of them seems to import the name in keycloak.
But if I manually use the keycloak interface form to set the firstName, it does send them to my oidc client, so the error is not on that portion, it’s really in the SAML connection.
To this point I can wonder “maybe the identity provider doesn’t provide them”. This provider is “watchguard”, but it was used to successfully connect to other different SAML application like Microsoft Entra and Atlassian who can read these attributes without any different configuration than the connection done with Keycloak.
I used different tools like SAML Tracer or samltool .io and parsed the content of what I get in the browser dev tool network traces. The document resulted doesn’t seem to have anything except the email in the nameId field.
But then isn’t it part of the “Assertion Consumer Service” from keycloak to “request” the required attributes? I see that adding mapping does change the metadata descriptor xml to add them to the list. If the assertion isn’t requesting them correctly, the idprov won’t send them right?
I tried to find the way to see the xml metadata file that would contain the “saml:AttributeStatement” format that lists the available attributes, but can’t seem to find that information anywhere.
I tried to follow the guide here in the doc under “retrieving-external-idp-tokens” that would store the original idprov token on the user. I do see the created users get assigned the read-token permission, but accessing the /token endpoint always return an “invalid token” error. I believe this would just output the same thing as I see in the browser network logs anyway?