Hi all,
I’m using Keycloak 9.0.2 and trying to set up SSO for AWS using SAML client protocol.
I’ve configured SAML aws client, role for this client and few mappers.
But if I configure mapper type Role List
as in pic bellow:
I am seeing all realm roles in SAML response being mapped, e.g.: SAML response:
<saml:Attribute FriendlyName="Session Role" Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manage-events
</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manage-realm
</saml:AttributeValue>
...
</saml:Attribute>
I was expecting that only roles for this client would be mapped? Am I doing something wrong or is this expected?