Role Mapping
Define the mapping from client identity provider roles/groups to AMT roles. This is configured in the cc-config.yaml and amt-config.yaml configuration files for the AMT Control Center and applications.
claimUserRoles
Set the origin of the user roles. AMT manages the user roles by default. By setting the value to
OAUTH, the user roles are taken from the OpenID provider token. If set to OAUTH the
claimRolesKey and roleMapping settings must be set.
claimRolesKey
The key to roles in the OpenID provider token. Must be set when claimUserRoles is set to
OAUTH.
- For Azure Entra ID the key is "groups":
claimRolesKey: groups. - For Keycloak the key is "resource_access;<clientID>;roles". This key is 3 layers deep, separated by
semicolons:
claimRolesKey: resource_access;-demo;roles.
roleMapping
Maps the user roles from the OpenID provider token to AMT user roles. Must be set when claimUserRoles
is set to OAUTH.
Configuration Examples of Role Mapping
Azure-specific example:
authentication:
type: OIDC
clients:
rest:
settings:
issuerURL: <URL OIDC provider>
clientID: <Client ID>
claimUserName: preferred_username
claimUserRoles: OAUTH
claimRolesKey: groups
roleMapping:
<Azure Role Map ID>: 2
Keycloak-specific example:
authentication:
type: OIDC
clients:
rest:
settings:
issuerURL: <URL OIDC provider>
clientID: <Client ID>
claimUserName: preferred_username
claimUserRoles: OAUTH
claimRolesKey: resource_access;my-amt;roles
roleMapping:
admin: amt_admin
role0: amt_default
user: amt_user1