Available User Session Data

After a user logs in from the external IDP, there’s some additional user session note data that Keycloak stores that you can access. This data can be propagated to the client requesting a login via the token or SAML assertion being passed back to it by using an appropriate client mapper.

identity_provider

This is the IDP alias of the broker used to perform the login.

identity_provider_identity

This is the IDP username of the currently authenticated user. This is often same like the Keycloak username, but doesn’t necessarily needs to be. For example Keycloak user john can be linked to the Facebook user john123@gmail.com, so in that case value of user session note will be john123@gmail.com .

You can use a Protocol Mapper of type User Session Note to propagate this information to your clients.