Hello,

 

I have a Java application that talks openid-connect with Keycloak and then Keycloak uses the SAML 2.0 Identity provider to redirect to a 3^rd party SAML idp, acting as an identity broker.

 

So far so good, I can login into my application with a user existing in the 3^rd party idp. Great! but where I am bit stuck is when I try to map attributes in the SAML response from the idp.

 

Basically, I would like Keycloak to populate the roles in the access token that my application gets in the web request with the information coming in the SAML attribute. In other words, I want the 3^rd party SAML idp to decide what role/s should be assigned to the user.

 

Is my assumption correct that all I need is the attribute importer mapper in the SAML provider to do this? So far I could not get it to work L  What is the appropriate way to do this?

 

Thank you!

 

Manuel Palacio