如何通过keycloak向github企业中的每个用户添加主要电子邮件？

Question

I have github enterprise configured. I use keycloak for authentication.

Sign up/ login flow is like this,

Users click sign in with SAML from github enterprise.

Then they are redirected to keycloak login page.

Where they can choose github.com for signup.

After successful authentication from github.com users are redirected to github enterprise.

Now a new user has been created in keycloak with username as of github.com username and email as of github.com email.

But in github enterprise, user's username is created by parsing the first part before the @ of email id and user's email id is not getting updated in github enterprise user account even though github enterprise is receiving email id from keycloak.

Users get the following notification, saying them to add one email address.

If an user don't add their email, they don't get email for events like organization invitation, password reset.

This not what i want. I also not what the users to manually add email id to their account.

I want get github enterprise user's username and email to be the same as of keycloak.

How can i achieve this ?

Answer 1

We have extracted saml response from keycloak to ghe by inspecting the /consume request in browser network. When SAML response is decoded (using samltool.io), we identified that keycloak is not sending email attribute to ghe.

Github used the following attributes for updating profile information. So keycloak needs to send attribute in variable specified in this field.

We have found that there is some builtin "Mappers" available in client which can be used for sending some specified predetermined attributes to client applications.

Select your client -> Mappers -> Add builtin. Select the required mappers and click Add.

Open x500 Email and set "SAML Attribute Name" to the variable same as the variable name set on github. Provide some Property and Friendly Name.

Now you will get email address in user's account.