On Keycloak 3.4.3 I'm trying to use a "SAML Attribute to Role" role mapper to extract roles from a "roles" attribute sent by an external SAML IdP. I know that the attribute has values as when I try to map it to a user attribute I get an exception that the user attribute cannot be saved, because the value exceeds the maximum length of 256. What I don't know is whether the roles are sent in 1 - one attribute with multiple values, 2 - multiple attributes with one value or 3 - one attribute with one concatenated value. I guess looking at the code that only 2 would work, 3 would be unusual, but 1 should work as well. Can anyone share his experience with this? At the moment none of my roles get applied. Thanks, Michael This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. OEConnection LLC, (888) 776-5792, www.oeconnection.com