To synchronize email addresses, last names, and first names of users of an
identity provider other than AD FS with those of Common Services, you must configure the identity
provider to ensure that the ID token issued by the identity provider includes claims that
correspond to Keycloak user attributes. You do not need to configure Keycloak. You can choose
which attributes to map for users. For details on configuring claims for an identity provider,
see the documentation for the identity provider that you are using.
The following table below provides the correspondence between Keycloak user attributes and claims in the ID token of the identity provider.
| Keycloak user attribute | Claim in the ID token of the identity provider |
|---|---|
| lastName | family_name |
| firstName | given_name |