Modifying the attribute mapping between the third-party identity provider and Keycloak

Last Updated : Jun 05, 2026 |

About this task

To authenticate a user, a third-party identity provider sends to Keycloak an authentication response that contains various user attributes, such as first name, last name, phone number, and email address. Keycloak then maps this user information to the attributes of the access token that is generated and sent back to clients.

The Avaya Aura® Device Services configuration utility provides a default attribute mapping. The identity provider you are using, however, might use attribute names that differ from the attribute names provided in the default mapping. In this case, you must update the default mapping. Use this procedure to modify the default attribute mapping.

Important:

You can only configure a single mapper of the Role Mapper category for an identity provider. Keycloak does not support multiple Role Mappers.

Depending on the identity provider that you are using, you must configure the mappers as follows:

For the Microsoft Azure Active Directory SAML v2.0 identity provider, configure the mappers listed in Attribute mapping parameters for Microsoft Azure SAML v2.0 identity provider.
For the Microsoft Office 365 OAuth2 identity provider, configure the mappers listed in Attribute mapping parameters for Office 365 OAuth2 identity provider.
For the Ping Identity SAML v2.0 identity provider, configure the mappers listed in Attribute mapping parameters for Ping Identity SAML v2.0 identity provider.
For the OKTA SAML v2.0 identity provider, you must configure the mappers listed in Attribute mapping parameters for OKTA SAML v2.0 identity provider.
For the AD FS SAML v2.0 identity provider, you must configure the mappers listed in Attribute mapping parameters for ADFS SAML v2.0 identity provider.
For the OneLogin SAML v2.0 identity provider, you must configure the mappers listed in Attribute mapping parameters for OneLogin SAML v2.0 identity provider.
For the IBM SAML v2.0 identity provider, you must configure the mappers listed in Attribute mapping parameters for the IBM SVA SAML v2.0 identity provider.
For the Duo SAML v2.0 identity provider, you must configure the mappers listed in Attribute mapping parameters for the Duo SAML v2.0 identity provider.
For the Imprivata SAML v2.0 identity provider, you must configure the mappers listed in Attribute mapping parameters for Imprivata SAML v2.0 identity provider.

Before you begin

Configure a third-party identity provider on Keycloak.

Procedure

On the Keycloak web administration portal, navigate to your realm and then click Identity Providers.
Select the identity provider.
Click Mappers.
From the table, select an appropriate attribute.
Avaya Aura® Device Services displays the attribute mapping for the selected attribute.
- The Friendly Name field contains the attribute name that the identity provider passes to Keycloak.
  
  If the identity provider does not provide a value for the Friendly Name field, use the Attribute Name field instead.
- The User Attribute Name field contains the attribute name that Keycloak passes to clients in access tokens.
  
  For a person’s given name, last name, and email address, use the following User Attribute Name values:
  - Given name: givenName.
  - Last name: lastName.
  - Email address: email
  These values are case sensitive.
The following image shows the givenName attribute.
Modify the Friendly Name value according to the attribute name that is used by the identity provider you are using.
If Mapper type is set to SAML Attribute to Role, do the following to map a role:
1. Click Select Role.
2. In the Role Selector window, in the Client Roles drop-down list, select aads.
3. Select the required role and then click Select client role.
Click Save.
Repeat the above steps for any other attributes you need to map.

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found