Identity Broker - Role mapping

Hi everyone,

First post here so please feel free to redirect as necessary.

Use case:

I operate Keycloak as an OIDC IAM with realm roles for our microservices and application roles for our front-end. This is all working; I can see and use the “realm_access” and “resource-access” within the JWT, no problems.

I am now trying to allow a third-party access to (some) of our services using Identity Broker(ing). I have setup a (test) Okta realm as an OIDC Identity Provider and can successfully get authenticated; the (foreign domain) user is setup in Keycloak with the relevant “Identity Provider Link”. Again, so far so good.


I’m unclear what is best / correct approach to map (local) realm roles when using a foreign IdP (Okta). I can see that I can configure various mappers under “Identity Providers \ \ Mappers”, including a “Claim to Role” mapper which seems like the best fit.

I’m struggling to get this to this to work with Okta; am trying to use a “groups” scope; somewhat unsuccessfully. Note: this is not a reflection on Okta, I’m just not sure I have the correct approach.


  1. Is the “Claim to Role” mapper the best / correct approach to mapping third-party IdP ID tokens to local Realm roles
  2. Is there some better / alternative method that I should be using instead (perhaps using scopes from the IdP or similar)?

Thanks in advance



Did you manage to solve this?
I am in a similar situation.
Trying to get Github organization Roles to map them to keycloak roles.
Not sure how I can get the roles in keycloak 17.0.0 though.