A third-party identity provider sends an authentication response to Keycloak. This response contains user attributes, such as first name, last name, phone number, or email address. To send these authentication data to Avaya Workplace Client in an access token, Keycloak maps the received user attributes to the attributes of the access token. You can use the Identity Provider Mapper in Keycloak to map identity provider attributes to Keycloak attributes.

The following is an Identity Provider Mapper screen for a SAML v2.0 identity provider:

The Attribute Name or Friendly Name is the name of the attribute that Keycloak receives from the third-party provider. Keycloak uses an attribute defined in User Attribute Name to pass the value received from the identity provider to Avaya Workplace Client in access tokens.

For some attributes, direct mapping is not enough. Instead, you must map the attribute value received from the third-party provider and then transform it into a different value. The most common example is transforming a group value into a role.

In the following example, the identity provider releases the memberOf attribute with the userGroup value.

First, Keycloak uses the Attribute Importer mapper to map this attribute to an attribute with the same name, memberOf.

Then Keycloak transforms this attribute into a role using the Role Mapper. The value of the memberOf attribute is mapped to the role, and Keycloak sends this role to Avaya Workplace Client. The following image shows the Identity Mapper configuration for this transformation: