SAML assertion/attribute mappings when using Entra ID as IDP for Keycloak
Posted on ma 17 november 2025 in iam
Last week we were working on using Entra ID (Azure active directory) as an Identity Provider (IdP) for a Keycloak instance. For reasons we chose to use a SAML based setup. While looking at mapping common Entra ID attributes to Keycloak attributes, it took some effort to find the exact names/keys to be used. Most hits in search engines seems to assume you want to use Open ID connect, so that does not help.
So for future self and others not wanting to find the assertions/mappings somewhere digging in the browsers network inspector:
| Entra ID | Keycloak attribute |
|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | firstName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | lastName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | username |
Thank you and bye