Unable to get SAML Attribute to Role Mapper working

Hi All,

I am using Keycloak 8.0.1 and I have used the SAML2.0 Identity Provider integration to integration with PingOne. Authentication is working just fine but I am having some trouble getting the SAML Attribute to Role Mapper working.

From the AuthResponse I can see that the Attribute is sent correctly to keycloak.

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">netadmin</saml:AttributeValue>

My attribute mapper has been configured as follows

But after login when I check the users role mappings the role is not granted to that user. Note that I do have attribute mapping for other attributes like firstName, lastName and email working just fine.

Any ideas on what I may be doing wrong are greatly appreciated.


If I’m correct, Attribute Name must be filled with “role”. (not friendly name)

1 Like

Thanks @maartenvds you are absolutely right.