We are passing a multi value SAML attribute from our Okta IdP and defined a few role mappers from some specific attribute values to the admin role.
For one specific attribute value (information-security-engineering) we have the issue below.
Note: the user is part of another IdP group called information-security and this value is sent via the SAML assertion as well.
The first time login flow works fine, however when the user does login a second time the SSO deletes the user's roles mapping in Keycloak DB and it does not perform the mapping again. The user does not get access to the application because of the missing roles.
When we removed the user from the information-security group, the issue disappeared. I think it has to do with how the role mapper parses the SAML assertion looking for the values specified... if it uses something like "info*" then the search yields 2 results...
After some more testing it appears that the issue is related to having multiple attribute value mappings to the same role - is this not supported?
We want several Okta groups (like engineering, security) to be mapped to the Keycloak admin role.