I am using Keycloak 8.0.1 and I have used the SAML2.0 Identity Provider integration to integration with PingOne. Authentication is working just fine but I am having some trouble getting the SAML Attribute to Role Mapper working.
From the AuthResponse I can see that the Attribute is sent correctly to keycloak.
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">netadmin</saml:AttributeValue>
My attribute mapper has been configured as follows
But after login when I check the users role mappings the role is not granted to that user. Note that I do have attribute mapping for other attributes like firstName, lastName and email working just fine.
Any ideas on what I may be doing wrong are greatly appreciated.