Hello, I have a Java application that talks openid-connect with Keycloak and then Keycloak uses the SAML 2.0 Identity provider to redirect to a 3^rd party SAML idp, acting as an identity broker. So far so good, I can login into my application with a user existing in the 3^rd party idp. Great! but where I am bit stuck is when I try to map attributes in the SAML response from the idp. Basically, I would like Keycloak to populate the roles in the access token that my application gets in the web request with the information coming in the SAML attribute. In other words, I want the 3^rd party SAML idp to decide what role/s should be assigned to the user. Is my assumption correct that all I need is the attribute importer mapper in the SAML provider to do this? So far I could not get it to work L What is the appropriate way to do this? Thank you! Manuel Palacio _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user