Keymate Logo

Map External Identity Data into Keycloak or Keymate—Your Way

Import user titles, company names, departments, or organizational attributes from external systems—into either native Keycloak attributes or Keymate's typed schema. Use them in tokens, policies, and UI with confidence.

Sync User & Organization Metadata Across Identity Layers

Why It Matters

Identity data doesn't live in one place—and your IAM system shouldn't assume it does.

  • HRMS and registries hold official metadata like title, department, or company
  • Legacy LDAPs expose role or position information
  • Keycloak only supports flat, untyped attributes

Custom Attribute Mapper SPI bridges this gap: It pulls external metadata and lets you choose where to store it—in native Keycloak or typed, governed Keymate schemas—for full control, visibility, and policy use.

Flexible Mapping from External Sources to IAM-Aware Attributes

This flexibility ensures minimal friction while supporting typed governance when needed.

Attribute Mapping Flow

Connect to HRMS, registries, CRM, or partner APIs and normalize fields into either native Keycloak user attributes or Keymate's user or organization attribute schemas. Expose attributes to token mappers, the policy engine (DSL), the Admin Console, and simulation & auditing tools.

Example: Map external data to Keycloak or Keymate attributes for use in tokens and policies.

Key Components:

Connect to external sources (HRMS, LDAP)
Map to native Keycloak or Keymate schemas
Use in tokens, policies, and UI
Ensure full visibility and governance

Compatibility & Target Options

This SPI supports multiple storage and enforcement paths:

  • ✅ Native Keycloak user attributes (flat structure, simple use cases)
  • ✅ Keymate's advanced User Attributes Engine (typed, scoped, DSL-aware)
  • ✅ Keymate's Organization Attribute Engine (for org-bound attribute enforcement)

This allows phased rollout or hybrid usage—you don't have to migrate everything to use advanced authorization.

Extension Highlights — What Makes It Unique

External Metadata Integration

Pull data from HRMS, workforce, or registry APIs

Flexible Targets

Map to native Keycloak attributes, Keymate user attributes, or organization-level attributes

Optional Typing & Validation

Use Keymate's attribute dictionary to define type, validation, and source metadata

Policy-Aware Exposure

Attributes available in Keymate DSL (with autocomplete, syntax hints)

Token Enrichment

Mapped attributes can be used in session notes and access tokens

Tenant-Aware Mapping

Configure per-tenant rules for multi-tenant environments

Frequently Asked Questions

Absolutely. You can write directly to Keycloak's native attributes. For advanced features like typing and policy scoping, optional integration with Keymate is available.
Yes. Attributes can also be assigned at the organization level and governed via Keymate's Org Attribute Engine.
Yes—mapped attributes (from either storage method) are available in policy definitions using Keymate's DSL engine.
Any system exposing API or event-based data—like HRMS, LDAP, registries, or partner systems—can be used.

How to Use This Extension

Implementation Steps

1

Deploy the SPI to your Keycloak cluster

2

Configure external attribute sources and mapping rules

3

Choose the target: Keycloak attribute, Keymate User Attribute, or Organization Attribute

4

Sync at login, via event-driven updates, or on demand

5

Use attributes across: Token enrichment, Policy definition, Admin visibility, Audit and observability

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.