Token Exchange for Identity Provider SAML

Dear Team,
We are trying to setup Keycloak to authenticate user with Organisations IDP [ ex [

One Identity

In order to access our API’s we have done RBAC based.
Can you guide, do we have to create users in our realms too , if so is it possible to take attributes from SAML response to this
Post authentication with IDP, will we able to get roles configured in our realms automatically in access token?

Kindly suggest how to do Authorization Token when Authentication happens at external IDP via keycloak

Take a look at the documentation for claim mappers. Depending on how your SAML IdP is set up to return claims, you should be able to map those claims to roles:
https://www.keycloak.org/docs/latest/server_admin/#_mappers
If I’m not understanding what you’re asking for, please clarify your question.


Ref_Microservice_Security_Prabhath_Siriwerdena

Please find scenarios ,where we have different users,
User belong to tenant who has IDP, we have to authenticate via it’s IDP
who doesnt have idp, we have to maintain in our side the authentication.
Users might have multiple authentication factor configured too.

How do we do all these combinations, should we have to different realm for different users and tenant combination.