Configuring attribute mapping on OKTA

Last Updated : Jun 10, 2026 |

About this task

To authenticate a user, OKTA sends an authentication response to Keycloak containing various user attributes, such as the first name, last name, phone number, or email address. Keycloak then maps this user information to the attributes of the access token that is generated and sent back to clients. Use this procedure to specify Keycloak attribute names on OKTA.

Procedure

  1. Log in to the OKTA administration portal as an administrator.
  2. Navigate to Directory > Profile Editor.
  3. Click Profile for your SAML v2.0 application.
  4. On the Attributes page, click Add Attribute and add three new attributes with the following parameters:

    Display Name

    Variable Name

    Data Type

    Attribute Type

    email

    email

    string

    Custom

    firstName

    firstName

    string

    Custom

    lastName

    lastName

    string

    Custom

    For other settings, leave default values.

    The following image displays the configured email attribute:

  5. Click Save.
  6. On the Attributes page, click Mappings.
  7. Navigate to the <Your application name> to OKTA User tab and then configure mapping as follows:
    Table 1:

    <Your Application Name> User Profile

    OKTA User Profile

    appuser.firstName

    firstName

    appuser.lastName

    lastName

    appuser.email

    email

    The following image displays the configured attributes:

  8. Navigate to the OKTA User to <your application name> tab and then configure mapping as follows:
    Table 2:

    OKTA User Profile

    <Your application name> User Profile

    user.email

    email

    user.firstName

    firstName

    user.lastName

    lastName

    The following image displays the configured attributes:

  9. Save mappings.
  10. Navigate to Application.
  11. Select your SAML application.
  12. On the General tab, in the SAML Settings area, click Edit.
  13. On the General Settings page, click Next.
  14. On the Configure SAML page, select Show Advanced Settings.
  15. In the Attribute Statements area, add attribute statements as follows:

    Name

    Name format

    Value

    email

    Unspecified

    user.email

    firstName

    Unspecified

    user.firstName

    lastName

    Unspecified

    user.lastName

    The following image displays the configured attributes:

  16. In the Group Attribute Statements area, add group attribute statements as follows:

    Name

    Name format

    Filter

    Value

    Admin

    Unspecified

    Equals

    The name of the administrator group configured on OKTA.

    User

    Unspecified

    Equals

    The name of the user group configured on OKTA.

    The following image displays the configured attributes:

  17. Click Next.
  18. Click Save.