diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go
index 4519a85b6df..0107ad91267 100644
--- a/connector/openshift/openshift.go
+++ b/connector/openshift/openshift.go
@@ -31,6 +31,9 @@ type Config struct {
 	Groups       []string `json:"groups"`
 	InsecureCA   bool     `json:"insecureCA"`
 	RootCA       string   `json:"rootCA"`
+	// If this is set, the email claim will have this domain appended.
+	// This should not include the @ character.
+	EmailSuffix string `json:"emailSuffix"`
 }
 
 var (
@@ -50,6 +53,7 @@ type openshiftConnector struct {
 	insecureCA   bool
 	rootCA       string
 	groups       []string
+	emailSuffix  string
 }
 
 type user struct {
@@ -101,6 +105,7 @@ func (c *Config) OpenWithHTTPClient(id string, logger *slog.Logger,
 		rootCA:       c.RootCA,
 		groups:       c.Groups,
 		httpClient:   httpClient,
+		emailSuffix:  c.EmailSuffix,
 	}
 
 	var metadata struct {
@@ -211,11 +216,16 @@ func (c *openshiftConnector) identity(ctx context.Context, s connector.Scopes,
 		}
 	}
 
+	email := user.Name
+	if c.emailSuffix != "" {
+		email = email + "@" + c.emailSuffix
+	}
+
 	identity = connector.Identity{
 		UserID:            user.UID,
 		Username:          user.Name,
 		PreferredUsername: user.Name,
-		Email:             user.Name,
+		Email:             email,
 		Groups:            user.Groups,
 	}
 
diff --git a/connector/openshift/openshift_test.go b/connector/openshift/openshift_test.go
index 89ec0e25a9f..9ec4b425e7b 100644
--- a/connector/openshift/openshift_test.go
+++ b/connector/openshift/openshift_test.go
@@ -170,7 +170,7 @@ func TestCallbackIdentity(t *testing.T) {
 
 	expectNil(t, err)
 
-	oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{
+	oc := openshiftConnector{apiURL: s.URL, httpClient: h, emailSuffix: "test.example.com", oauth2Config: &oauth2.Config{
 		Endpoint: oauth2.Endpoint{
 			AuthURL:  fmt.Sprintf("%s/oauth/authorize", s.URL),
 			TokenURL: fmt.Sprintf("%s/oauth/token", s.URL),
@@ -182,7 +182,7 @@ func TestCallbackIdentity(t *testing.T) {
 	expectEquals(t, identity.UserID, "12345")
 	expectEquals(t, identity.Username, "jdoe")
 	expectEquals(t, identity.PreferredUsername, "jdoe")
-	expectEquals(t, identity.Email, "jdoe")
+	expectEquals(t, identity.Email, "jdoe@test.example.com")
 	expectEquals(t, len(identity.Groups), 1)
 	expectEquals(t, identity.Groups[0], "users")
 }