That’s interesting. Where did you store your roles in that specific AWS format? LDAP, Keycloak?
I’ve stored it in Role Name Mapper so in Keycloak. I had one custom Role which I’ve connected to this mapper. I know hackish but I just wanted to make it work somehow. But anyhow as I do need to create roles based on LDAP groups your suggestion for scripted mapper was what I needed.
Scripted mapper doesn’t help you with unwanted. You need to have disabled realm roles (
Full Scope Allowed: Off), maybe the are defined/assigned as client roles.
That was indeed issue for unwanted roles.
Thank you for help!