Username Sub-Claim Mapping
Use this page to map authenticated identity claims to the runtime username used for Secure Remote Access target sessions.
This setting directly affects whether users can actually log in to target hosts after they authenticate to Akeyless.
Correct mapping helps you:
- Prevent avoidable session failures caused by username resolution mismatch.
- Keep access behavior consistent across SSH and RDP workflows.
- Maintain cleaner audit trails by aligning identity claims with expected target usernames.
Why Mapping Matters
When SRA opens SSH or RDP sessions that rely on an externally provided username, Gateway configuration determines which identity claim is used to resolve that username.
Incorrect claim mapping can cause valid users to authenticate successfully but fail target login authorization.
Mapping Controls
The primary controls are:
--rdp-target-configuration--ssh-target-configuration
These flags specify the claim name (for example, email) that should be used as the username source for the corresponding session type.
CLI Examples
Configure both SSH and RDP mapping:
akeyless gateway update remote-access \
--rdp-target-configuration email \
--ssh-target-configuration email \
--gateway-url https://<YOUR_AKEYLESS_GW_URL>:8000Configure only SSH mapping:
akeyless gateway update remote-access \
--ssh-target-configuration email \
--gateway-url https://<YOUR_AKEYLESS_GW_URL>:8000For complete flag behavior, see CLI Reference - Gateway Secure Remote Access.
Authentication Source Considerations
For SAML and OIDC flows, use a claim that is consistently present in your IdP token assertions.
When the selected claim is missing for a user, the target username cannot be derived from that claim, and connection establishment can fail.
Operational Guidance
- Choose a stable claim that is consistently issued by the IdP.
- Validate mapping against both SSH and RDP test sessions.
- Avoid claim names that vary across identity providers or environments.
- Revalidate mapping after IdP schema or claim policy changes.