AAD/KeyCloak UPN vs email

[NickCorcoran]

Describe the issue Currently, the Gold KeyCloak service uses email as username, for users pulled from AAD. This should be modified to use UPN as it more accurately identifies the user account. Main issue is currently in the platform-services realm, but could extend past that.

Additional context OpenShift users with a UPN that differs from there email (limited number) have a username that does not accurately reflect the account they logged in with.

How does this benefit the users of our platform? Accurate account logging information.

Definition of done

• [x] Identify affected accounts (in platform-services realm)
• [x] Brainstorm ideas to resolve
• [x] create new attribute / pull UPN from AAD
• [x] Test out user account in Dev/Test
• [x] Identify impacts on connected applications (OCP, argocd, artifactory, rocketchat, platform registry, mautic, sysdig, vault)

[NickCorcoran]

Same KC ID used for accounts. May have to delete current accounts in target systems for upn to display as username. This may require re-mapping current authorizations to new account (using upn). Note written to affected users of change of attribute mapping.

[NickCorcoran]

Note sent to users. Another ticket to be created to track attribute change and username auth migrations.