diff --git a/providers/keycloak.go b/providers/keycloak.go
index f6c74880..66eda948 100644
--- a/providers/keycloak.go
+++ b/providers/keycloak.go
@@ -47,6 +47,7 @@ var (
 	}
 )
 
+// NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData
 func NewKeycloakProvider(p *ProviderData) *KeycloakProvider {
 	p.setProviderDefaults(providerDefaults{
 		name:        keycloakProviderName,
@@ -59,8 +60,16 @@ func NewKeycloakProvider(p *ProviderData) *KeycloakProvider {
 	return &KeycloakProvider{ProviderData: p}
 }
 
+// EnrichSession uses the Keycloak userinfo endpoint to populate the session's
+// email and groups.
 func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
-	json, err := requests.New(p.ValidateURL.String()).
+	// Fallback to ValidateURL if ProfileURL not set for legacy compatibility
+	userinfoURL := p.ValidateURL.String()
+	if p.ProfileURL != nil {
+		userinfoURL = p.ProfileURL.String()
+	}
+
+	json, err := requests.New(userinfoURL).
 		WithContext(ctx).
 		SetHeader("Authorization", "Bearer "+s.AccessToken).
 		Do().
diff --git a/providers/keycloak_test.go b/providers/keycloak_test.go
index b3920810..7c0b457b 100644
--- a/providers/keycloak_test.go
+++ b/providers/keycloak_test.go
@@ -131,6 +131,10 @@ var _ = Describe("Keycloak Provider Tests", func() {
 						Scheme: "https",
 						Host:   "example.com",
 						Path:   "/oauth/token"},
+					ProfileURL: &url.URL{
+						Scheme: "https",
+						Host:   "example.com",
+						Path:   "/api/v3/user"},
 					ValidateURL: &url.URL{
 						Scheme: "https",
 						Host:   "example.com",
@@ -141,7 +145,7 @@ var _ = Describe("Keycloak Provider Tests", func() {
 			Expect(providerData.ProviderName).To(Equal("Keycloak"))
 			Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth"))
 			Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token"))
-			Expect(providerData.ProfileURL.String()).To(Equal(""))
+			Expect(providerData.ProfileURL.String()).To(Equal("https://example.com/api/v3/user"))
 			Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user"))
 			Expect(providerData.Scope).To(Equal("profile"))
 		})
@@ -174,7 +178,7 @@ var _ = Describe("Keycloak Provider Tests", func() {
 			DescribeTable("should return expected results",
 				func(in enrichSessionTableInput) {
 					var err error
-					p.ValidateURL, err = url.Parse(
+					p.ProfileURL, err = url.Parse(
 						fmt.Sprintf("%s%s?testcase=%s", b.URL, keycloakUserinfoPath, in.testcase),
 					)
 					Expect(err).To(BeNil())