To synchronize email addresses, last names, and first names of users of an
identity provider other than AD FS with those of Common Services, you must specify mappings between
assertion attributes for the identity provider and Keycloak user attributes. You can choose
which attributes to map for users.
Configure the assertion attributes for the identity provider. The assertion sent from the identity provider must include attributes required for Keycloak user attributes. For details on assertion attribute settings for the identity provider, see the documentation for the identity provider that you are using.
The following table below provides the correspondence between Keycloak user attributes and assertion attributes for an identity provider.
| Keycloak user attribute | Example of assertion attributes for an identity provider |
|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
| lastName | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
| firstName | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
- Log in to the Hitachi Ops Center Portal as the sysadmin user or as a user who belongs to the opscenter-administrators group.
- From the navigation bar, click Manage users.
- In the Users window, from the Asset type, click Identity providers (Other).
- In the Identity providers (Other) window, click Embedded Keycloak.
- Log in to Keycloak as the idpadmin user.
- In the Identity providers window, click the registered identity provider.
- In the Provider details window, click the Mappers tab.
-
For each attribute to be synchronized, specify the item required for
mapping.