This protocol mapper will modify the ID token claims to work with EntraID EAM in accordance to this document.
It sets the sub claim to the value that was received with the initial request.
The amr claim is set to otp by default if that is available.
If the privacyIDEA Keycloak Plugin is used, the amr claim can
also be set to fido if that is available and Passkey/WebAuthn has been used for authentication.
Take the jar from the releases and drop it
in the /providers directory of your keycloak installation. Keycloak needs to be restarted afterward.
If the deployment was successful, you can go to Clients-><clientName>->Client Scopes-><clientName>-dedicated
->Configure a new mapper and there select Entra ID EAM Subject Override. You will then see the configuration page
of the mapper, where the only relevant setting is to enable "Add to ID token".
The mapper will log errors to the keycloak log. Additionally, if debug log is enabled for keycloak itself, it will print all available information when it is executed, including the deserialized ID token before and after modification, the openid request parameter, userSession and HTTP request parameters.