...
N.B. As of the external_system_id user attribute is not currently set/migrated from user records in Folio to Keycloak. However, there are plans to add this soon. Keep in mind that you can always manually add/set arbitrary user attributes in Keycloak for testing purposes.
Tips/Tricks
This section provides some tips/tricks which may or may not be helpful to you, based on various factors.
I can't find my Subject NameID
This one may be specific to SSOCircle... In some cases I've seen that the SAML response doesn't include the expected information, including assertions and even the Subject's NameID, until you do something like the following:
- In step 6 of "Add an Identity Provider", you specify "Allow Create": "off" and specify the "Detect and Set Existing User" flow you created earlier in the process. The trick here is to basically undo those changes, setting "Allow Create": "on", and change the flow to "First broker login".
- Attempt to login again.
- Keycloak will probably present you with a form for creating a new user since one couldn't be found. The form will be prepopulated with the Subject's NameID. Copy this for later use.
- Repeat step 6 of "Add an Identity Provider" to turn Allow Create off and specify your Detect and Set Existing User flow.
- Now when you login, if you inspect the SAML response, you should see the assertions and the Subject's NameID.
Open Questions
- TBD