Modifying the attribute mapping between the third-party identity provider and Keycloak

Last Updated : Jun 10, 2026 |

About this task

To authenticate a user, a third-party identity provider sends to Keycloak an authentication response that contains various user attributes, such as first name, last name, phone number, and email address. Keycloak then maps this user information to the attributes of the access token that is generated and sent back to clients.

The Avaya Aura® Device Services configuration utility provides a default attribute mapping. The identity provider you are using, however, might use attribute names that differ from the attribute names provided in the default mapping. In this case, you must update the default mapping. Use this procedure to modify the default attribute mapping.

Each identity provider uses its own attribute mapping. For information about the mappers for your identity provider, see the Attribute mapping parameters section for your identity provider in Administering Avaya Aura® Device Services.

Before you begin

Configure a third-party identity provider on Keycloak.

Procedure

  1. On the Keycloak web administration portal, navigate to your realm and then click Identity Providers.
  2. Select the identity provider.
  3. Click Mappers.
  4. From the table, select an appropriate attribute.

    Avaya Aura® Device Services displays the attribute mapping for the selected attribute.

    • The Friendly Name field contains the attribute name that the identity provider passes to Keycloak.

      If the identity provider does not provide a value for the Friendly Name field, use the Attribute Name field instead.

    • The User Attribute Name field contains the attribute name that Keycloak passes to clients in access tokens.

      For a person’s given name, last name, and email address, use the following User Attribute Name values:

      • Given name: givenName.

      • Last name: lastName.

      • Email address: email

      These values are case sensitive.

    The following image shows the givenName attribute.

    The image of the attribute mapping screen.
  5. Modify the Friendly Name value according to the attribute name that is used by the identity provider you are using.
  6. If Mapper type is set to SAML Attribute to Role, do the following to map a role:
    1. Click Select Role.
    2. In the Role Selector window, in the Client Roles drop-down list, select aads.
    3. Select the required role and then click Select client role.
    The image of the attribute mapping screen. The Mapper Type is SAML attribute to Role Mapper, and there is an option to select a role.
  7. Click Save.
  8. Repeat the above steps for any other attributes you need to map.