TLJH - SSO via Keycloak with IPA as the idP

I’ve got Jupyterhub stood up on a new Ubuntu VM and integrated the generic oauthenticator with Keycloak (Happy to share configs if it helps someone). Keycloak is using IPA as the ID store. SSO into JupyterHub/Notebooks seems to work well except…

The users created on the JupyterHub VM are named Jupyter-XXX and the user ids are not coming from IPA they seem to be local UIDs (1001 seems to be the starting number).

Is there a way to configure JupyterHub to pull this information from the claim coming from Keycloak? I’ve looked in the documentation, but don’t see anything relating to this.

I thought maybe I would go the PAMAuthenticator route and I can login as a user and get the correct ID this was, but the only Kerberos authenticator I see hasn’t been touched in over two years and I wasn’t able to get it to work for SSO.

Any pointers would be awesome.

Is keycloak definitely passing a username to JupyterHub?

I beleive so. The username configured on Jupyter by Jupyterhub matches the correct user with the addition of Jupyter- in front of it.
When I run id(jupyter-) I see one id and when I run id() they are different uids.
I’ll try a capture today to see exactly whats in the header coming from Keycloak.

Strangely I see the right information in the claim. I tested a theory and SSH’d into the Jupyter box with the user and then Jupyter seems to work correctly. Maybe I’m missing something in the configuration on how new users are created automatically?

I can’t think what the problem is- maybe it’s specific to TLJH and the SystemdSpawner? I’ve got KeyCloak working on Z2JH if you want to compare your configuration: