I’m configuring Keycloak with AWS IAM federation. It failed because the https://aws.amazon.com/SAML/Attributes/Role assertion includes not only my IAM role but also keycloak default realm roles as well (default-roles-master, offline_access etc.)
How do I make it so that the assertion only include my CLIENT roles and NOT REALM roles?
I’m running Keycloak 19 and there is no “Full scope allowed” toggle for me to do this.