Integrate Austrian eID (ID Austria) into Keycloak

Integrating the Austrian eID into Keycloak enables organisations to use the advantages of the European eID system. I already wrote some general stuff about the system in my blog entry about the Estonian program. The Austrian government allows the implementation of the system for the public and the private sector. To use it, one must be registered via the USP and register as a SP. Once the government has agreed to the registration, one can start implement it. Image of a Keycloak Login Screen with the european eID authentication option present

Connect eID Identity Provider via OIDC to Keycloak

When logged into Keycloak, create a new Identity Provider Connection in your selected realm. This blog post is about an OIDC connection, so make sure to select OIDC (OpenID Connect v1.0) when creating the provider connection. Submit a unique alias. This alias will be submitted to the government application registration as well. Insert a display name and order of your choice. This is purely cosmetic and has no functional meaning. All further URLs from the ID Austria should be retrieved from the documentation. If creating a new connection, there is also the possibility to let keycloak fill in these values via a discovery point. use this link. Enter your clientID and the client password (retrievable via the government portal), and insert openid and profile space separated as parameter Scopes.

Congratulations: You have connected your Keycloak as a Serviceprovider to the Austrian eID. The login will not work as of this moment (proceed to the next section), but you should be able to select eID as authentication method and you should be able to make a few clicks at the linked governmental portal.

Create correct attribute mapping

Please only configure this, when the previous section already works and has been tested!

To make use of the eID, you need to create a mapping of the attribute you get from the eID into the attributes you have configured in your keycloak. When applying as service provider for the eID, you need to select which attributes you want to receive. This is a list of available attributes and their name. You need to create a local keycloak user profile attribute and a mapper in the provider connection for every attribute you need to insert.

Create your user profile attributes in the section user profile in the realm settings. Be sure to grant the correct read and write permissions for users and admins and select a corresponding scope. Also, check if the expected value of the attribute is multivalued and enable the corresponding switch.

When all user attributes are created, you can start mapping the eID attributes to those. Create mappers in the mappers section of the identity provider section of your newly created identity provider. For simple attribute mapping choose Attribute Importer and the type Inherit. Claim is the name of the attribute of the eID. Be sure to escape the dots! E.g.: urn:pvpgvat:oidc.eid_issuing_nation should be submitted as urn:pvpgvat:oidc\.eid_issuing_nation. Also, specific attention must be taken to import the correct ID of users into your keycloak. The Austrian eID uses the attribute urn:pvpgvat:oidc.bpk as ID. Choose the type Username Template Importer and the mode Inherit. Then use ${ALIAS}.${CLAIM.urn:pvpgvat:oidc.bpk} as template and BROKER_ID as your target.

Read More

Previous Blog Entry

Last update: 2026-02-14