diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java
index 4a2dcf1..673a1dc 100644
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java
@@ -171,11 +171,11 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
             if (this.syncGroupMembershipOnLogin)
             {
                 AuthenticationUtil.runAsSystem(() -> this.transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-                    boolean changed = this.syncGroupMemberships(groups);
+                    boolean changed = this.syncGroupMemberships(accessToken.getPreferredUsername(), groups);
                     if (changed) {
                     	String ticket = this.authenticationService.getCurrentTicket();
                     	if (ticket != null) {
-                    		LOGGER.debug("Invalidating Alflresco ticket as group membership changed: {}", ticket);
+                    		LOGGER.debug("Invalidating Alfresco ticket as group membership changed: {}", ticket);
                     		this.authenticationService.invalidateTicket(ticket);
                     	}
                     }
@@ -243,15 +243,14 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
      *     the Alfresco group authorities as determined from the Keycloak access token for the current user
      * @return true if group membership changed
      */
-    protected boolean syncGroupMemberships(final Collection<String> groups)
+    protected boolean syncGroupMemberships(String username, final Collection<String> groups)
     {
-        final String userName = AuthenticationUtil.getFullyAuthenticatedUser();
-        final String maskedUsername = AlfrescoCompatibilityUtil.maskUsername(userName);
+        final String maskedUsername = AlfrescoCompatibilityUtil.maskUsername(username);
         boolean changed = false;
 
         LOGGER.debug("Synchronising group membership for user {} and token extracted groups {}", maskedUsername, groups);
 
-        final Set<String> existingUnprocessedGroups = this.authorityService.getContainingAuthorities(AuthorityType.GROUP, userName, true);
+        final Set<String> existingUnprocessedGroups = this.authorityService.getContainingAuthorities(AuthorityType.GROUP, username, true);
 
         LOGGER.debug("User {} is currently in the groups {}", maskedUsername, existingUnprocessedGroups);
 
@@ -261,7 +260,7 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
             if (!existingUnprocessedGroups.remove(group) && this.authorityService.authorityExists(group))
             {
                 LOGGER.debug("Adding user {} to group {}", maskedUsername, group);
-                this.authorityService.addAuthority(group, userName);
+                this.authorityService.addAuthority(group, username);
                 changed = true;
             }
         }
@@ -269,7 +268,7 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
         for (final String group : existingUnprocessedGroups)
         {
             LOGGER.debug("Removing user {} from group {}", maskedUsername, group);
-            this.authorityService.removeAuthority(group, userName);
+            this.authorityService.removeAuthority(group, username);
             changed = true;
         }
         
diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenPersonProcessor.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenPersonProcessor.java
index 5c11b6b..fb64e2c 100644
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenPersonProcessor.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenPersonProcessor.java
@@ -151,6 +151,8 @@ public class KeycloakTokenPersonProcessor implements TokenProcessor, Initializin
                 this.updatePerson(accessToken, idToken);
                 return null;
             }, false, requiresNew);
+            
+            AuthenticationUtil.setFullyAuthenticatedUser(accessToken.getPreferredUsername());
         }
     }
 
@@ -164,16 +166,16 @@ public class KeycloakTokenPersonProcessor implements TokenProcessor, Initializin
      */
     protected void updatePerson(final AccessToken accessToken, final IDToken idToken)
     {
-        final String userName = AuthenticationUtil.getFullyAuthenticatedUser();
+        final String username = accessToken.getPreferredUsername();
 
-        LOGGER.debug("Mapping person property updates for user {}", AlfrescoCompatibilityUtil.maskUsername(userName));
+        LOGGER.debug("Mapping person property updates for user {}", AlfrescoCompatibilityUtil.maskUsername(username));
 
-        final NodeRef person = this.personService.getPerson(userName);
+        final NodeRef person = this.personService.getPerson(username);
 
         final Map<QName, Serializable> updates = new HashMap<>();
         this.userProcessors.forEach(processor -> processor.mapUser(accessToken, idToken != null ? idToken : accessToken, updates));
 
-        LOGGER.debug("Determined property updates for person node of user {}", AlfrescoCompatibilityUtil.maskUsername(userName));
+        LOGGER.debug("Determined property updates for person node of user {}", AlfrescoCompatibilityUtil.maskUsername(username));
 
         final Set<QName> propertiesToRemove = updates.keySet().stream().filter(k -> updates.get(k) == null).collect(Collectors.toSet());
         updates.keySet().removeAll(propertiesToRemove);