Adding a hard-coded user role in Keycloak

Last Updated : Jun 10, 2026 |

About this task

Authentication tokens generated by Keycloak must contain role information to enable Avaya Workplace Client to use SSO capabilities. In Avaya Aura® Device Services deployments that do not use the Enterprise SSO capability, the user role is assigned to users of the LDAP group configured as the user role. Avaya Aura® Device Services does not restrict access to users outside the user group. Therefore, you can add a hard-coded user role to the Keycloak configuration for OAuth2 identity providers that cannot provide group membership information. In this case, Keycloak assigns this hard-coded user role to all users that successfully authenticate with the OAuth2 identity provider.

If you configured integration with Office 365 using OAuth2, you cannot use the Keycloak web administration portal to create attribute mappings from the OAuth2 token to a role. You can only use the Hardcoded Role mapper type.

Note:

Hardcoded Role also works for other Identity Providers (IDP) and is tested for Active Directory Federation Service (ADFS).

Procedure

  1. Log in to the Keycloak web administration interface.

    For more information, see Logging in to the Keycloak web administration portal.

  2. On the Keycloak web administration interface, navigate to your Office 365 OAuth2 identity provider.
  3. Click the Mappers tab.
  4. Click Create.

    Keycloak displays the Add Identity Provider Mapper page.

  5. In Name, provide a name for the mapper.

    For example: user.groups

  6. From Mapper Type, select Hardcoded Role.
  7. Click Select Role.

    Keycloak displays the Role Selector page.

  8. From the Client Roles drop-down list, select aads.
  9. In the area below the Client Roles drop-down list, select user.
  10. Click Select client role.
  11. On the Add Identity Provider Mapper page, click Save.