Mon, 01 Jan 0001 00:00:00 +0000

Keycloak 12.x#

Create a new Role at Keycloak, e.g. demo-pam-authentication. (Assuming the server is at https://keycloak.example.com)
Create a new Client Scope, e.g. pam_roles:
- Protocol: openid-connect
- Display On Consent Screen: OFF
- Include in Token Scope: ON
- Mapper:
  - Name: e.g. pam roles
  - Mapper Type: User Realm Role
  - Multivalued: ON
  - Token Claim Name: pam_roles (the name of the Client Scope)
  - Claim JSON Type: String
  - Add to ID token: OFF
  - Add to access token: ON
  - Add to userinfo: OFF
- Scope:
  - Effective Roles: demo-pam-authentication (the name of the Role)
Create a new Keycloak Client:

Identity providers on pam-keycloak-oidc