Don't include REALM roles in SAML

I’m configuring Keycloak with AWS IAM federation. It failed because the assertion includes not only my IAM role but also keycloak default realm roles as well (default-roles-master, offline_access etc.)

How do I make it so that the assertion only include my CLIENT roles and NOT REALM roles?

I’m running Keycloak 19 and there is no “Full scope allowed” toggle for me to do this.

Solved it. The problem is that the USER role mappings are being sent in SAML assertion