CILogon username mapping without `eppn`

At my site we’re considering switching from InCommon shibboleth to CILogon authentication. Normally a user’s username comes from their eppn attribute. But Google, Microsoft, GitHub, and possibly others don’t have an eppn attribute. We could use the email attribute, but email seems to be problematic since users might be able to change their email. What do you do at OSC?

We use preferred_username at OSC.

Though I suspect that’s because KeyCloak is our actual IDP and it has access to LDAP which can generate the correct preferred_username.

And I guess I should also say that we use CILogon, but again, it’s backed by KeyCloak that’s mapped the CiLogon user to a local user in our LDAP.

Doesn’t KeyCloak also have to pick an attribute with which to map CILogon attributes to an LDAP user?

Keycloak maps the user on their side. So the login flow is

  • login with CILogon
  • Keycloak then prompts you to login with our OSC credentials
  • Keycloak maps the CILogon user to the local OSC user, using the CILogon user as the federated user.

I can see in Keycloak my federated ID which I can unlink from my actual OSC account.

I checked the configs and we request these scopes from Keycloak openid profile org.cilogon.userinfo, though I don’t know if that’s relevant or not.