Nightly release

This guide is for the unstable nightly release, for the latest release go here.

Protocol Mappers

Discover all built-in protocol mappers and how to use these to define token claims and assertion attributes.

Protocol mappers provide a flexible way to define claims used in OAuth 2.0 tokens and endpoints, and attributes in SAML 2.0 assertions. For example adding user attributes or role mappings.

This page includes a list of all built-in protocol mappers, but Keycloak also supports defining custom protocol mappers through the ProtocolMapper SPI.

Protocol mappers can be created and managed via the Keycloak REST API using the create protocol mapper endpoint. When creating a ProtocolMapperRepresentation, the config field is a key-value map whose available entries depend on the specific mapper type. This page serves as a reference for the expected configuration options available in ProtocolMapperRepresentation.config for each ProtocolMapper implementation.

For example, to create a protocol mapper that maps a user attribute into an OIDC token claim, you would send a ProtocolMapperRepresentation using the following JSON:

{
  "name": "my-user-attribute-mapper",
  "protocol": "openid-connect",
  "protocolMapper": "oidc-usermodel-attribute-mapper",
  "config": {
    "user.attribute": "phone_number",
    "claim.name": "phone",
    "jsonType.label": "String"
  }
}

The protocolMapper field corresponds to the "ID" listed in the tables below, and the config entries are described in each mapper’s configuration table.

The same mapper can be created programmatically using the Keycloak Java admin client:

ProtocolMapperRepresentation mapper = new ProtocolMapperRepresentation();
mapper.setName("my-user-attribute-mapper");
mapper.setProtocol("openid-connect");
mapper.setProtocolMapper("oidc-usermodel-attribute-mapper");
mapper.setConfig(Map.of(
        "user.attribute", "phone_number",
        "claim.name", "phone",
        "jsonType.label", "String"
));

Keycloak.getInstance(...)
        .realm("my-realm")
        .clientScopes()
        .get("my-client-scope-id")
        .getProtocolMappers()
        .createMapper(mapper);

Overview

The below table is an index of all available ProtocolMapper implementations provided by Keycloak, grouped by the associated protocol.

ID Description

ID	Description
openid-connect
oidc-allowed-origins-mapper	Adds all allowed web origins to the 'allowed-origins' claim in the token
oidc-audience-mapper	Add specified audience to the audience (aud) field of token
oidc-audience-resolve-mapper	Adds all client_ids of "allowed" clients to the audience field of the token. Allowed client means the client for which user has at least one client role
oidc-acr-mapper	Maps the achieved LoA (Level of Authentication) to the 'acr' claim of the token
oidc-amr-mapper	Add authentication method reference (AMR) to the token.
oidc-claims-param-token-mapper	Claims specified by Claims parameter are put into tokens.
oidc-claims-param-value-idtoken-mapper	Claims specified by Claims parameter with value are put into an ID token.
oidc-group-membership-mapper	Map user group membership
oidc-hardcoded-role-mapper	Hardcode a role into the access token.
oidc-hardcoded-claim-mapper	Hardcode a claim into the token.
oidc-nonce-backwards-compatible-mapper	Adds the nonce claim to Access, Refresh and ID token
oidc-organization-group-membership-mapper	Map user Organization group membership
oidc-organization-membership-mapper	Map user Organization membership
oidc-sha256-pairwise-sub-mapper	Calculates a pairwise subject identifier using a salted sha-256 hash and adds it to the 'sub' claim. See OpenID Connect specification for more info about pairwise subject identifiers.
oidc-role-name-mapper	Map an assigned role to a new name or position in the token.
oidc-session-state-mapper	Add Session State (session_state) claim
oidc-sub-mapper	Add Subject (sub) claim
oidc-address-mapper	Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.
oidc-usermodel-attribute-mapper	Map a custom user attribute to a token claim.
oidc-usermodel-client-role-mapper	Map a user client role to a token claim.
oidc-usermodel-property-mapper	Map a built in user property (email, firstName, lastName) to a token claim.
oidc-usermodel-realm-role-mapper	Map a user realm role to a token claim.
oidc-usersessionmodel-note-mapper	Map a custom user session note to a token claim.
oidc-full-name-mapper	Maps the user’s first and last name to the OpenID Connect 'name' claim. Format is <first> + ' ' + <last>
oid4vc
oid4vc-context-mapper	Assigns a context to the credential.
oid4vc-vc-type-mapper	Assigns a type to the credential.
oid4vc-subject-id-mapper	Sets an ID for the credential subject, either from User ID or by attribute mapping.
oid4vc-generated-id-mapper	Assigns a generated ID to the credential’s subject. The target property can be configured, but `id` is used by default.
oid4vc-issued-at-time-claim-mapper	Allows to set the issuance date credential subject.
oid4vc-static-claim-mapper	Allows to set static values for the credential subject.
oid4vc-target-role-mapper	Map the assigned role to the credential subject, providing the client id as the target.
oid4vc-user-attribute-mapper	Maps user attributes or properties to credential claims.
saml
saml-audience-mapper	Add specified audience to the audience conditions in the assertion.
saml-audience-resolve-mapper	Adds all client_ids of "allowed" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role
saml-authn-context-class-ref-mapper	Add the AuthnContextClassRef to the AuthContext with the Level of Assurance if present.
saml-group-membership-mapper	Group names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per group name depending on how you configure it. You can also specify the attribute name i.e. 'member' or 'memberOf' being examples.
saml-hardcode-attribute-mapper	Hardcode an attribute into the SAML Assertion.
saml-hardcode-role-mapper	Hardcode role into SAML Assertion.
saml-organization-group-membership-mapper	Add attributes to the assertion with information about the organization group membership.
saml-organization-membership-mapper	Add an attribute to the assertion with information about the organization membership.
saml-user-attribute-mapper	Map a custom user attribute to a SAML attribute.
saml-user-property-mapper	Map a built in user property (email, firstName, lastName) to a SAML attribute type.
saml-user-session-note-mapper	Map a user session note to a SAML attribute.
saml-role-name-mapper	Map an assigned role to a new name
saml-role-list-mapper	Role names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per role name depending on how you configure it. You can also specify the attribute name i.e. 'Role' or 'memberOf' being examples.
saml-user-attribute-nameid-mapper	Map user attribute to SAML NameID value.
docker-v2
docker-v2-allow-all-mapper	Allows all grants, returning the full set of requested access attributes as permitted attributes.

openid-connect

oidc-allowed-origins-mapper

Adds all allowed web origins to the 'allowed-origins' claim in the token

oidc-audience-mapper

Add specified audience to the audience (aud) field of token

oidc-audience-resolve-mapper

Adds all client_ids of "allowed" clients to the audience field of the token. Allowed client means the client for which user has at least one client role

oidc-acr-mapper

Maps the achieved LoA (Level of Authentication) to the 'acr' claim of the token

oidc-amr-mapper

Add authentication method reference (AMR) to the token.

oidc-claims-param-token-mapper

Claims specified by Claims parameter are put into tokens.

oidc-claims-param-value-idtoken-mapper

Claims specified by Claims parameter with value are put into an ID token.

oidc-group-membership-mapper

Map user group membership

oidc-hardcoded-role-mapper

Hardcode a role into the access token.

oidc-hardcoded-claim-mapper

Hardcode a claim into the token.

oidc-nonce-backwards-compatible-mapper

Adds the nonce claim to Access, Refresh and ID token

oidc-organization-group-membership-mapper

Map user Organization group membership

oidc-organization-membership-mapper

Map user Organization membership

oidc-sha256-pairwise-sub-mapper

Calculates a pairwise subject identifier using a salted sha-256 hash and adds it to the 'sub' claim. See OpenID Connect specification for more info about pairwise subject identifiers.

oidc-role-name-mapper

Map an assigned role to a new name or position in the token.

oidc-session-state-mapper

Add Session State (session_state) claim

oidc-sub-mapper

Add Subject (sub) claim

oidc-address-mapper

Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.

oidc-usermodel-attribute-mapper

Map a custom user attribute to a token claim.

oidc-usermodel-client-role-mapper

Map a user client role to a token claim.

oidc-usermodel-property-mapper

Map a built in user property (email, firstName, lastName) to a token claim.

oidc-usermodel-realm-role-mapper

Map a user realm role to a token claim.

oidc-usersessionmodel-note-mapper

Map a custom user session note to a token claim.

oidc-full-name-mapper

Maps the user’s first and last name to the OpenID Connect 'name' claim. Format is <first> + ' ' + <last>

oid4vc

oid4vc-context-mapper

Assigns a context to the credential.

oid4vc-vc-type-mapper

Assigns a type to the credential.

oid4vc-subject-id-mapper

Sets an ID for the credential subject, either from User ID or by attribute mapping.

oid4vc-generated-id-mapper

Assigns a generated ID to the credential’s subject. The target property can be configured, but id is used by default.

oid4vc-issued-at-time-claim-mapper

Allows to set the issuance date credential subject.

oid4vc-static-claim-mapper

Allows to set static values for the credential subject.

oid4vc-target-role-mapper

Map the assigned role to the credential subject, providing the client id as the target.

oid4vc-user-attribute-mapper

Maps user attributes or properties to credential claims.

saml

saml-audience-mapper

Add specified audience to the audience conditions in the assertion.

saml-audience-resolve-mapper

Adds all client_ids of "allowed" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role

saml-authn-context-class-ref-mapper

Add the AuthnContextClassRef to the AuthContext with the Level of Assurance if present.

saml-group-membership-mapper

Group names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per group name depending on how you configure it. You can also specify the attribute name i.e. 'member' or 'memberOf' being examples.

saml-hardcode-attribute-mapper

Hardcode an attribute into the SAML Assertion.

saml-hardcode-role-mapper

Hardcode role into SAML Assertion.

saml-organization-group-membership-mapper

Add attributes to the assertion with information about the organization group membership.

saml-organization-membership-mapper

Add an attribute to the assertion with information about the organization membership.

saml-user-attribute-mapper

Map a custom user attribute to a SAML attribute.

saml-user-property-mapper

Map a built in user property (email, firstName, lastName) to a SAML attribute type.

saml-user-session-note-mapper

Map a user session note to a SAML attribute.

saml-role-name-mapper

Map an assigned role to a new name

saml-role-list-mapper

Role names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per role name depending on how you configure it. You can also specify the attribute name i.e. 'Role' or 'memberOf' being examples.

saml-user-attribute-nameid-mapper

Map user attribute to SAML NameID value.

docker-v2

docker-v2-allow-all-mapper

Allows all grants, returning the full set of requested access attributes as permitted attributes.

openid-connect

The following section contains all ProtocolMapper implementations associated with the openid-connect protocol. For each implementation we provide the "ID" of the ProtocolMapper and a table describing the supported configuration properties.

Allowed Web Origins

Adds all allowed web origins to the 'allowed-origins' claim in the token

ID: oidc-allowed-origins-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Audience

Add specified audience to the audience (aud) field of token

ID: oidc-audience-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Included Client Audience	`included.client.audience`	`ClientList`	None	The Client ID of the specified audience client will be included in the audience (aud) field of the token. If the token includes audiences, the specified value is added to them. It will not override existing audiences.
Included Custom Audience	`included.custom.audience`	`String`	None	This is used only if 'Included Client Audience' is empty. The specified value is included in the audience (aud) field of the token. If the token already contains audiences, the specified value is added to those audiences, without overriding them.
Add to ID token	`id.token.claim`	`boolean`	`false`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Included Client Audience

included.client.audience

ClientList

None

The Client ID of the specified audience client will be included in the audience (aud) field of the token. If the token includes audiences, the specified value is added to them. It will not override existing audiences.

Included Custom Audience

included.custom.audience

String

None

This is used only if 'Included Client Audience' is empty. The specified value is included in the audience (aud) field of the token. If the token already contains audiences, the specified value is added to those audiences, without overriding them.

Add to ID token

id.token.claim

boolean

false

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Audience Resolve

Adds all client_ids of "allowed" clients to the audience field of the token. Allowed client means the client for which user has at least one client role

ID: oidc-audience-resolve-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Authentication Context Class Reference (ACR)

Maps the achieved LoA (Level of Authentication) to the 'acr' claim of the token

ID: oidc-acr-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Authentication Method Reference (AMR)

Add authentication method reference (AMR) to the token.

ID: oidc-amr-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Claims parameter Token

Claims specified by Claims parameter are put into tokens.

ID: oidc-claims-param-token-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Claims parameter with value ID Token

Claims specified by Claims parameter with value are put into an ID token.

ID: oidc-claims-param-value-idtoken-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Claim name	`claim.name`	`String`	None	Name of the claim you want to set its value. 'true' and 'false can be used for boolean values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?

Claim name

claim.name

String

None

Name of the claim you want to set its value. 'true' and 'false can be used for boolean values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Group Membership

Map user group membership

ID: oidc-group-membership-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Full group path	`full.path`	`boolean`	`true`	Include full path to group i.e. /top/level1/level2, false will just specify the group name
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Token Claim Name

claim.name

String

None

Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).

Full group path

full.path

boolean

true

Include full path to group i.e. /top/level1/level2, false will just specify the group name

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Hardcoded Role

Hardcode a role into the access token.

ID: oidc-hardcoded-role-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Role	`role`	`Role`	None	Role you want added to the token. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole

Role

role

Role

None

Role you want added to the token. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole

Hardcoded claim

Hardcode a claim into the token.

ID: oidc-hardcoded-claim-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Claim value	`claim.value`	`String`	None	Value of the claim you want to hard code. 'true' and 'false can be used for boolean values.
Claim JSON Type	`jsonType.label`	`List`	None	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to access token response	`access.tokenResponse.claim`	`boolean`	`false`	Should the claim be added to the access token response? Should only be used for informative and non-sensitive data
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Token Claim Name

claim.name

String

None

Claim value

claim.value

String

None

Value of the claim you want to hard code. 'true' and 'false can be used for boolean values.

Claim JSON Type

jsonType.label

List

None

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to access token response

access.tokenResponse.claim

boolean

false

Should the claim be added to the access token response? Should only be used for informative and non-sensitive data

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Nonce backwards compatible

Adds the nonce claim to Access, Refresh and ID token

ID: oidc-nonce-backwards-compatible-mapper

Organization Group Membership

Map user Organization group membership

ID: oidc-organization-group-membership-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?
Add group role mappings	`addGroupRoleMappings`	`boolean`	`false`	addGroupRoleMappings.help

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Add group role mappings

addGroupRoleMappings

boolean

false

addGroupRoleMappings.help

Organization Membership

Map user Organization membership

ID: oidc-organization-membership-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?
Claim JSON Type	`jsonType.label`	`List`	`String`	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Multivalued	`multivalued`	`boolean`	`true`	Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim
Add organization attributes	`addOrganizationAttributes`	`boolean`	`false`	addOrganizationAttributes.help
Add organization id	`addOrganizationId`	`boolean`	`false`	addOrganizationId.help
Add organization domain	`addOrganizationDomain`	`boolean`	`false`	addOrganizationDomain.help

Token Claim Name

claim.name

String

None

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Claim JSON Type

jsonType.label

List

String

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Multivalued

multivalued

boolean

true

Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim

Add organization attributes

addOrganizationAttributes

boolean

false

addOrganizationAttributes.help

Add organization id

addOrganizationId

boolean

false

addOrganizationId.help

Add organization domain

addOrganizationDomain

boolean

false

addOrganizationDomain.help

Pairwise subject identifier

Calculates a pairwise subject identifier using a salted sha-256 hash and adds it to the 'sub' claim. See OpenID Connect specification for more info about pairwise subject identifiers.

ID: oidc-sha256-pairwise-sub-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Sector Identifier URI	`sectorIdentifierUri`	`String`	None	Providers that use pairwise sub values and support Dynamic Client Registration SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names. It also provides a way for Clients to change redirect_uri domains without having to reregister all their users.
Salt	`pairwiseSubAlgorithmSalt`	`String`	None	Salt used when calculating the pairwise subject identifier. If left blank, a salt will be generated.

Sector Identifier URI

sectorIdentifierUri

String

None

Providers that use pairwise sub values and support Dynamic Client Registration SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names. It also provides a way for Clients to change redirect_uri domains without having to reregister all their users.

Salt

pairwiseSubAlgorithmSalt

String

None

Salt used when calculating the pairwise subject identifier. If left blank, a salt will be generated.

Role Name Mapper

Map an assigned role to a new name or position in the token.

ID: oidc-role-name-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Role	`role`	`Role`	None	Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole
New Role Name	`new.role.name`	`String`	None	The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.

Role

role

Role

None

Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole

New Role Name

new.role.name

String

None

The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.

Session State (session_state)

Add Session State (session_state) claim

ID: oidc-session-state-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Subject (sub)

Add Subject (sub) claim

ID: oidc-sub-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

User Address

Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.

ID: oidc-address-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?
User Attribute Name for Street	`user.attribute.street`	`String`	`street`	Name of User Attribute, which will be used to map to 'street_address' subclaim inside 'address' token claim. Defaults to 'street'.
User Attribute Name for Locality	`user.attribute.locality`	`String`	`locality`	Name of User Attribute, which will be used to map to the 'locality' subclaim inside the 'address' token claim. Defaults to 'locality'.
User Attribute Name for Region	`user.attribute.region`	`String`	`region`	Name of User Attribute, which will be used to map to 'region' subclaim inside 'address' token claim. Defaults to 'region'.
User Attribute Name for Postal Code	`user.attribute.postal_code`	`String`	`postal_code`	Name of User Attribute, which will be used to map to the 'postal_code' subclaim inside the 'address' token claim. Defaults to 'postal_code'.
User Attribute Name for Country	`user.attribute.country`	`String`	`country`	Name of User Attribute, which will be used to map to 'country' subclaim inside 'address' token claim. Defaults to 'country'.
User Attribute Name for Formatted Address	`user.attribute.formatted`	`String`	`formatted`	Name of the User Attribute to use for mapping to the 'formatted' subclaim inside the 'address' token claim. Defaults to 'formatted'.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

User Attribute Name for Street

user.attribute.street

String

street

Name of User Attribute, which will be used to map to 'street_address' subclaim inside 'address' token claim. Defaults to 'street'.

User Attribute Name for Locality

user.attribute.locality

String

locality

Name of User Attribute, which will be used to map to the 'locality' subclaim inside the 'address' token claim. Defaults to 'locality'.

User Attribute Name for Region

user.attribute.region

String

region

Name of User Attribute, which will be used to map to 'region' subclaim inside 'address' token claim. Defaults to 'region'.

User Attribute Name for Postal Code

user.attribute.postal_code

String

postal_code

Name of User Attribute, which will be used to map to the 'postal_code' subclaim inside the 'address' token claim. Defaults to 'postal_code'.

User Attribute Name for Country

user.attribute.country

String

country

Name of User Attribute, which will be used to map to 'country' subclaim inside 'address' token claim. Defaults to 'country'.

User Attribute Name for Formatted Address

user.attribute.formatted

String

formatted

Name of the User Attribute to use for mapping to the 'formatted' subclaim inside the 'address' token claim. Defaults to 'formatted'.

User Attribute

Map a custom user attribute to a token claim.

ID: oidc-usermodel-attribute-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
User Attribute	`user.attribute`	`UserProfileAttributeList`	None	Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Claim JSON Type	`jsonType.label`	`List`	None	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?
Multivalued	`multivalued`	`boolean`	None	Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim
Aggregate attribute values	`aggregate.attrs`	`boolean`	None	Indicates if attribute values should be aggregated with the group attributes. If using OpenID Connect mapper the multivalued option needs to be enabled too in order to get all the values. Duplicated values are discarded and the order of values is not guaranteed with this option.

User Attribute

user.attribute

UserProfileAttributeList

None

Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.

Token Claim Name

claim.name

String

None

Claim JSON Type

jsonType.label

List

None

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

Multivalued

multivalued

boolean

None

Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim

Aggregate attribute values

aggregate.attrs

boolean

None

Indicates if attribute values should be aggregated with the group attributes. If using OpenID Connect mapper the multivalued option needs to be enabled too in order to get all the values. Duplicated values are discarded and the order of values is not guaranteed with this option.

User Client Role

Map a user client role to a token claim.

ID: oidc-usermodel-client-role-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Client ID	`usermodel.clientRoleMapping.clientId`	`ClientList`	None	Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token.
Client Role prefix	`usermodel.clientRoleMapping.rolePrefix`	`String`	None	A prefix for each client role (optional). The special token ${client_id} can be used and this will be replaced by the actual client ID. This is useful especially when you are adding roles from all the clients (Hence 'Client ID' switch is unset) and need to present the client roles as a list, prefixed with the originating client’s client ID.
Multivalued	`multivalued`	`boolean`	`true`	Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and to use the dot literally, escape the dot with a backslash (\.). You can use the special token ${client_id}; it will be replaced by the actual client ID. An example usage is 'resource_access.${client_id}.roles'. This option is especially useful when you add roles from all the clients, meaning 'Client ID' is disabled, and you want client roles of each client stored separately.
Claim JSON Type	`jsonType.label`	`List`	None	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Client ID

usermodel.clientRoleMapping.clientId

ClientList

None

Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token.

Client Role prefix

usermodel.clientRoleMapping.rolePrefix

String

None

A prefix for each client role (optional). The special token ${client_id} can be used and this will be replaced by the actual client ID. This is useful especially when you are adding roles from all the clients (Hence 'Client ID' switch is unset) and need to present the client roles as a list, prefixed with the originating client’s client ID.

Multivalued

multivalued

boolean

true

Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim

Token Claim Name

claim.name

String

None

Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and to use the dot literally, escape the dot with a backslash (\.). You can use the special token ${client_id}; it will be replaced by the actual client ID. An example usage is 'resource_access.${client_id}.roles'. This option is especially useful when you add roles from all the clients, meaning 'Client ID' is disabled, and you want client roles of each client stored separately.

Claim JSON Type

jsonType.label

List

None

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

User Property

Map a built in user property (email, firstName, lastName) to a token claim.

ID: oidc-usermodel-property-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Property	`user.attribute`	`String`	None	Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method.
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Claim JSON Type	`jsonType.label`	`List`	None	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Property

user.attribute

String

None

Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method.

Token Claim Name

claim.name

String

None

Claim JSON Type

jsonType.label

List

None

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

User Realm Role

Map a user realm role to a token claim.

ID: oidc-usermodel-realm-role-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Realm Role prefix	`usermodel.realmRoleMapping.rolePrefix`	`String`	None	A prefix which will be prepended to each Realm Role name (optional).
Multivalued	`multivalued`	`boolean`	`true`	Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Claim JSON Type	`jsonType.label`	`List`	None	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Realm Role prefix

usermodel.realmRoleMapping.rolePrefix

String

None

A prefix which will be prepended to each Realm Role name (optional).

Multivalued

multivalued

boolean

true

Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim

Token Claim Name

claim.name

String

None

Claim JSON Type

jsonType.label

List

None

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

User Session Note

Map a custom user session note to a token claim.

ID: oidc-usersessionmodel-note-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
User Session Note	`user.session.note`	`String`	None	Name of stored user session note within the UserSessionModel.note map.
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
Claim JSON Type	`jsonType.label`	`List`	None	JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to access token response	`access.tokenResponse.claim`	`boolean`	`false`	Should the claim be added to the access token response? Should only be used for informative and non-sensitive data
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

User Session Note

user.session.note

String

None

Name of stored user session note within the UserSessionModel.note map.

Token Claim Name

claim.name

String

None

Claim JSON Type

jsonType.label

List

None

JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to access token response

access.tokenResponse.claim

boolean

false

Should the claim be added to the access token response? Should only be used for informative and non-sensitive data

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

User’s full name

Maps the user’s first and last name to the OpenID Connect 'name' claim. Format is <first> + ' ' + <last>

ID: oidc-full-name-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add to ID token	`id.token.claim`	`boolean`	`true`	Should the claim be added to the ID token?
Add to access token	`access.token.claim`	`boolean`	`true`	Should the claim be added to the access token?
Add to lightweight access token	`lightweight.claim`	`boolean`	`false`	Should the claim be added to the lightweight access token?
Add to userinfo	`userinfo.token.claim`	`boolean`	`true`	Should the claim be added to the userinfo?
Add to token introspection	`introspection.token.claim`	`boolean`	`true`	Should the claim be added to the token introspection?

Add to ID token

id.token.claim

boolean

true

Should the claim be added to the ID token?

Add to access token

access.token.claim

boolean

true

Should the claim be added to the access token?

Add to lightweight access token

lightweight.claim

boolean

false

Should the claim be added to the lightweight access token?

Add to userinfo

userinfo.token.claim

boolean

true

Should the claim be added to the userinfo?

Add to token introspection

introspection.token.claim

boolean

true

Should the claim be added to the token introspection?

oid4vc

The following section contains all ProtocolMapper implementations associated with the oid4vc protocol. For each implementation we provide the "ID" of the ProtocolMapper and a table describing the supported configuration properties.

Credential Context Mapper

Assigns a context to the credential.

ID: oid4vc-context-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Verifiable Credentials Context	`context`	`String`	`https://www.w3.org/2018/credentials/v1`	Context of the credential.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Verifiable Credentials Context

context

String

https://www.w3.org/2018/credentials/v1

Context of the credential.

Credential Type Mapper

Assigns a type to the credential.

ID: oid4vc-vc-type-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Verifiable Credential Type	`vcTypeProperty`	`String`	None	Type of the credential.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Verifiable Credential Type

vcTypeProperty

String

None

Type of the credential.

CredentialSubject ID Mapper

Sets an ID for the credential subject, either from User ID or by attribute mapping.

ID: oid4vc-subject-id-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Token Claim Name	`claim.name`	`String`	`id`	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In case that 'id' is used as a value of this configuration property, it would be mapped into sd-jwt credential as claim 'sub'.
User attribute	`userAttribute`	`List`	`did`	The name of the user attribute that maps to the subject id.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Token Claim Name

claim.name

String

id

Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In case that 'id' is used as a value of this configuration property, it would be mapped into sd-jwt credential as claim 'sub'.

User attribute

userAttribute

List

did

The name of the user attribute that maps to the subject id.

Generated ID Mapper

Assigns a generated ID to the credential’s subject. The target property can be configured, but id is used by default.

ID: oid4vc-generated-id-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
ID Property Name	`claim.name`	`String`	`id`	Name of the property to contain the generated id.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

ID Property Name

claim.name

String

id

Name of the property to contain the generated id.

Issuance Date Claim Mapper

Allows to set the issuance date credential subject.

ID: oid4vc-issued-at-time-claim-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Time Claim Name	`claim.name`	`String`	`iat`	Name of this time claim. Default is iat
Truncate To Time Unit	`truncateToTimeUnit`	`List`	None	Truncate time to the start of the selected unit. Supported: SECONDS, MINUTES, HOURS, HALF_DAYS, DAYS, WEEKS, MONTHS, YEARS. Such as to prevent correlation of credentials based on this time value.
Source of Value	`valueSource`	`List`	`COMPUTE`	Tells the protocol mapper where to get the information. For now: COMPUTE or VC. Default is COMPUTE, in which this protocol mapper computes the current time in seconds. With value `VC`, the time is read from the verifiable credential issuance date field.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Time Claim Name

claim.name

String

iat

Name of this time claim. Default is iat

Truncate To Time Unit

truncateToTimeUnit

List

None

Truncate time to the start of the selected unit. Supported: SECONDS, MINUTES, HOURS, HALF_DAYS, DAYS, WEEKS, MONTHS, YEARS. Such as to prevent correlation of credentials based on this time value.

Source of Value

valueSource

List

COMPUTE

Tells the protocol mapper where to get the information. For now: COMPUTE or VC. Default is COMPUTE, in which this protocol mapper computes the current time in seconds. With value VC, the time is read from the verifiable credential issuance date field.

Static Claim Mapper

Allows to set static values for the credential subject.

ID: oid4vc-static-claim-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Static Claim Property Name	`claim.name`	`String`	None	Name of the property to contain the static value.
Static Claim Value	`staticValue`	`String`	None	Value to be set for the property.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Static Claim Property Name

claim.name

String

None

Name of the property to contain the static value.

Static Claim Value

staticValue

String

None

Value to be set for the property.

Target-Role Mapper

Map the assigned role to the credential subject, providing the client id as the target.

ID: oid4vc-target-role-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Client ID	`clientId`	`String`	`roles`	Property to configure the client to get the roles from.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Client ID

clientId

String

roles

Property to configure the client to get the roles from.

User Attribute Mapper

Maps user attributes or properties to credential claims.

ID: oid4vc-user-attribute-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Mandatory Claim	`vc.mandatory`	`boolean`	`false`	Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.
Claim Display Information	`vc.display`	`ClaimDisplay`	None	Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.
Token Claim Name	`claim.name`	`String`	None	Name of the claim to insert into the token. This can be a fully qualified name such as 'address.street'. In this case, a nested JSON object is created. To prevent nesting and use dot literally, escape the dot with a backslash (\.).
User Attribute	`userAttribute`	`UserProfileAttributeList`	None	Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.
Aggregate attributes	`aggregateAttributes`	`boolean`	None	Should the mapper aggregate user attributes.

Mandatory Claim

vc.mandatory

boolean

false

Indicates whether this claim must be present in the issued credential. This information is included in the credential metadata for wallet applications.

Claim Display Information

vc.display

ClaimDisplay

None

Display metadata for wallet applications to show user-friendly claim names. Provide display entries with name and locale for internationalization support.

Token Claim Name

claim.name

String

None

User Attribute

userAttribute

UserProfileAttributeList

None

Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.

Aggregate attributes

aggregateAttributes

boolean

None

Should the mapper aggregate user attributes.

saml

The following section contains all ProtocolMapper implementations associated with the saml protocol. For each implementation we provide the "ID" of the ProtocolMapper and a table describing the supported configuration properties.

Audience

Add specified audience to the audience conditions in the assertion.

ID: saml-audience-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Included Client Audience	`included.client.audience`	`ClientList`	None	The Client ID of the specified audience client will be included in the audience (aud) field of the token. If the token includes audiences, the specified value is added to them. It will not override existing audiences.
Included Custom Audience	`included.custom.audience`	`String`	None	This is used only if 'Included Client Audience' is empty. The specified value is included in the audience (aud) field of the token. If the token already contains audiences, the specified value is added to those audiences, without overriding them.

Included Client Audience

included.client.audience

ClientList

None

Included Custom Audience

included.custom.audience

String

None

Audience Resolve

Adds all client_ids of "allowed" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role

ID: saml-audience-resolve-mapper

AuthnContextClassRef mapper

Add the AuthnContextClassRef to the AuthContext with the Level of Assurance if present.

ID: saml-authn-context-class-ref-mapper

Group list

ID: saml-group-membership-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Group attribute name	`attribute.name`	`String`	`member`	Name of the SAML attribute you want to put your groups into. i.e. 'member', 'memberOf'.
Friendly Name	`friendly.name`	`String`	None	Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.
SAML Attribute NameFormat	`attribute.nameformat`	`List`	None	SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.
Single Group Attribute	`single`	`boolean`	`true`	If true, all groups will be stored under one attribute with multiple attribute values.
Full group path	`full.path`	`boolean`	`true`	Include full path to group i.e. /top/level1/level2, false will just specify the group name

Group attribute name

attribute.name

String

member

Name of the SAML attribute you want to put your groups into. i.e. 'member', 'memberOf'.

Friendly Name

friendly.name

String

None

Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.

SAML Attribute NameFormat

attribute.nameformat

List

None

SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

Single Group Attribute

single

boolean

true

If true, all groups will be stored under one attribute with multiple attribute values.

Full group path

full.path

boolean

true

Include full path to group i.e. /top/level1/level2, false will just specify the group name

Hardcoded attribute

Hardcode an attribute into the SAML Assertion.

ID: saml-hardcode-attribute-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Friendly Name	`friendly.name`	`String`	None	Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.
SAML Attribute Name	`attribute.name`	`String`	None	SAML Attribute Name
SAML Attribute NameFormat	`attribute.nameformat`	`List`	None	SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.
Attribute value	`attribute.value`	`String`	None	Value of the attribute you want to hard code.

Friendly Name

friendly.name

String

None

Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.

SAML Attribute Name

attribute.name

String

None

SAML Attribute Name

SAML Attribute NameFormat

attribute.nameformat

List

None

SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

Attribute value

attribute.value

String

None

Value of the attribute you want to hard code.

Hardcoded role

Hardcode role into SAML Assertion.

ID: saml-hardcode-role-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Role	`role`	`Role`	None	Arbitrary role name you want to hardcode. This role does not have to exist in current realm and can be just any string you need

Role

role

Role

None

Arbitrary role name you want to hardcode. This role does not have to exist in current realm and can be just any string you need

Organization Group Membership

Add attributes to the assertion with information about the organization group membership.

ID: saml-organization-group-membership-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Add group role mappings	`addGroupRoleMappings`	`boolean`	`false`	addGroupRoleMappings.help

Add group role mappings

addGroupRoleMappings

boolean

false

addGroupRoleMappings.help

Organization Membership

Add an attribute to the assertion with information about the organization membership.

ID: saml-organization-membership-mapper

User Attribute

Map a custom user attribute to a SAML attribute.

ID: saml-user-attribute-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
User Attribute	`user.attribute`	`UserProfileAttributeList`	None	Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.
Friendly Name	`friendly.name`	`String`	None	Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.
SAML Attribute Name	`attribute.name`	`String`	None	SAML Attribute Name
SAML Attribute NameFormat	`attribute.nameformat`	`List`	None	SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.
Aggregate attribute values	`aggregate.attrs`	`boolean`	None	Indicates if attribute values should be aggregated with the group attributes. If using OpenID Connect mapper the multivalued option needs to be enabled too in order to get all the values. Duplicated values are discarded and the order of values is not guaranteed with this option.

User Attribute

user.attribute

UserProfileAttributeList

None

Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.

Friendly Name

friendly.name

String

None

Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.

SAML Attribute Name

attribute.name

String

None

SAML Attribute Name

SAML Attribute NameFormat

attribute.nameformat

List

None

SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

Aggregate attribute values

aggregate.attrs

boolean

None

User Property

Map a built in user property (email, firstName, lastName) to a SAML attribute type.

ID: saml-user-property-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Property	`user.attribute`	`UserProfileAttributeList`	None	Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method.
Friendly Name	`friendly.name`	`String`	None	Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.
SAML Attribute Name	`attribute.name`	`String`	None	SAML Attribute Name
SAML Attribute NameFormat	`attribute.nameformat`	`List`	None	SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

Property

user.attribute

UserProfileAttributeList

None

Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method.

Friendly Name

friendly.name

String

None

Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.

SAML Attribute Name

attribute.name

String

None

SAML Attribute Name

SAML Attribute NameFormat

attribute.nameformat

List

None

SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

User Session Note

Map a user session note to a SAML attribute.

ID: saml-user-session-note-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
User Session Note Attribute	`note`	`String`	None	The user session note you want to grab the value from.
Friendly Name	`friendly.name`	`String`	None	Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.
SAML Attribute Name	`attribute.name`	`String`	None	SAML Attribute Name
SAML Attribute NameFormat	`attribute.nameformat`	`List`	None	SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

User Session Note Attribute

note

String

None

The user session note you want to grab the value from.

Friendly Name

friendly.name

String

None

Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.

SAML Attribute Name

attribute.name

String

None

SAML Attribute Name

SAML Attribute NameFormat

attribute.nameformat

List

None

SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

Role Name Mapper

Map an assigned role to a new name

ID: saml-role-name-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Role	`role`	`Role`	None	Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole
New Role Name	`new.role.name`	`String`	None	The new role name.

Role

role

Role

None

Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole

New Role Name

new.role.name

String

None

The new role name.

Role list

ID: saml-role-list-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
Role attribute name	`attribute.name`	`String`	`Role`	Name of the SAML attribute you want to put your roles into. i.e. 'Role', 'memberOf'.
Friendly Name	`friendly.name`	`String`	None	Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.
SAML Attribute NameFormat	`attribute.nameformat`	`List`	None	SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.
Single Role Attribute	`single`	`boolean`	`true`	If true, all roles will be stored under one attribute with multiple attribute values.

Role attribute name

attribute.name

String

Role

Name of the SAML attribute you want to put your roles into. i.e. 'Role', 'memberOf'.

Friendly Name

friendly.name

String

None

Standard SAML attribute setting. An optional, more human-readable form of the attribute’s name that can be provided if the actual attribute name is cryptic.

SAML Attribute NameFormat

attribute.nameformat

List

None

SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.

Single Role Attribute

single

boolean

true

If true, all roles will be stored under one attribute with multiple attribute values.

User Attribute Mapper For NameID

Map user attribute to SAML NameID value.

ID: saml-user-attribute-nameid-mapper

Name Property Type Default Description

Name	Property	Type	Default	Description
name-id-format	`mapper.nameid.format`	`List`	None	This mapper is applied only if the NameID format of the incoming AuthnRequest is equal to this value.
User Attribute	`user.attribute`	`UserProfileAttributeList`	None	Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.

name-id-format

mapper.nameid.format

List

None

This mapper is applied only if the NameID format of the incoming AuthnRequest is equal to this value.

User Attribute

user.attribute

UserProfileAttributeList

None

Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.

docker-v2

The following section contains all ProtocolMapper implementations associated with the docker-v2 protocol. For each implementation we provide the "ID" of the ProtocolMapper and a table describing the supported configuration properties.

Allow All

Allows all grants, returning the full set of requested access attributes as permitted attributes.

ID: docker-v2-allow-all-mapper

On this page

Edit this guide