I am using Keycloak 18.0.2. Okta is one of my configured Identity Providers. I am using the OIDC provider (not SAML). I want to map the incoming groups claim from Okta to a user group I defined in Keycloak. I cannot find a lot of examples on how to search for a specific incoming group in the incoming list (the groups claim from Okta is a list aka array). Meaning, in Okta, if I were to do preview my token for the Okta authorization server, the token looks like this:

{
  ...
  "scp": [
    "openid"
  ],
  "auth_time": 1000,
  "sub": "[email protected]",
  ...
  "groups": [
    "Group1",
    "Group2",
    "Group3"
  ]...
}

In Keycloak, I defined a user group called something like "AsiaPacific". In the keycloak identity mapper provider detail screen, I want to say that if the incoming group claim contains "Group1" then map to the group "AsiaPacific" but I cannot seem to make it work. What do I put in the "name" and "value" fields here, since no matter what I specify, it does not seem to work? Again, the value of the incoming groups claim is not a string but an array of strings. Thanks in advance.

Identity Provider Mapper in Keycloak

Got it to work. After debugging the Keycloak code, I figured out the issue. Long story short, the groups claim defined in my Okta Authorization Server was being passed in the "access" token named "FEDERATED_ACCESS_TOKEN_RESPONSE." The Keycloak code expects to see the groups claim coming from Okta in either the "VALIDATED_ID_TOKEN" or the "VALIDATED_ACCESS_TOKEN" token. See github.com/keycloak/keycloak/discussions/13646 for details.