Support for Keycloak SAML Attribute to Role mapper with multiple values to map to a single role

Solution Verified - Updated 2019-03-28T18:07:52+00:00 -

Issue

At user's first time login attempt, everything works fine; but when the user does login a second time RH-SSO deletes the roles mapping on the user in Keycloak DB and it does not perform the mapping again. The user does not get access to the application because of the missing roles.

Environment

Red Hat Single Sign-On (RH-SSO)
- 7.x
Using RH-SSO Identity Brokering with a configured SAML Identity Provider (IdP), and trying to map attributes (multiple roles) from this external IdP to a single role in Keycloak (using the SAML Attribute to Role mapper)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Quick Links

Help

Site Info

Related Sites

Copyright © 2026 Red Hat

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)