keycloak-aplcache

diff --git a/distribution/docs-dist/assembly.xml b/distribution/docs-dist/assembly.xml
index 9eb9c71..00862c2 100755
--- a/distribution/docs-dist/assembly.xml
+++ b/distribution/docs-dist/assembly.xml
@@ -17,11 +17,11 @@
             <outputDirectory>rest-api</outputDirectory>
         </fileSet>
         <fileSet>
-            <directory>../../docbook/target/auth-server-docs/publish/en-US</directory>
+            <directory>../../docbook/auth-server-docs/target/docbook/publish/en-US</directory>
             <outputDirectory>userguide/keycloak-server</outputDirectory>
         </fileSet>
         <fileSet>
-            <directory>../../docbook/target/saml-adapter-docs/publish/en-US</directory>
+            <directory>../../docbook/saml-adapter-docs/target/docbook/publish/en-US</directory>
             <outputDirectory>userguide/saml-client-adapter</outputDirectory>
         </fileSet>
     </fileSets>

distribution/docs-dist/src/index.html 9(+6 -3)

diff --git a/distribution/docs-dist/src/index.html b/distribution/docs-dist/src/index.html
index 891f778..f196cd5 100755
--- a/distribution/docs-dist/src/index.html
+++ b/distribution/docs-dist/src/index.html
@@ -1,8 +1,11 @@
 <h1>Keyloak Documentation</h1>
 <ul>
-    <li><a href="userguide/html/index.html">Userguide HTML</a></li>
-    <li><a href="userguide/html_single/index.html">Userguide HTML Single Page</a></li>
-    <li><a href="userguide/pdf/keycloak-reference-guide-en-US.pdf">Userguide PDF</a></li>
+    <li><a href="userguide/keycloak-server/html/index.html">Server and Keycloak Adapter Userguide HTML</a></li>
+    <li><a href="userguide/keycloak-server/html_single/index.html">Server and Keycloak Adapter Userguide HTML Single Page</a></li>
+    <li><a href="userguide/keycloak-server/pdf/keycloak-reference-guide-en-US.pdf">Server and Keycloak Adapter Userguide PDF</a></li>
+    <li><a href="userguide/saml-client-adapter/html/index.html">SAML Client Adapter Userguide HTML</a></li>
+    <li><a href="userguide/saml-client-adapter/html_single/index.html">>SAML Client Adapter Userguide HTML Single Page</a></li>
+    <li><a href="userguide/saml-client-adapter/pdf/keycloak-reference-guide-en-US.pdf">SAML Client Adapter Userguide PDF</a></li>
     <li><a href="rest-api/overview-index.html">Admin REST API</a></li>
     <li><a href="javadocs/index.html">Javadocs</a></li>
 </ul>
\ No newline at end of file

docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml 719(+405 -314)

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml
index eeb3031..b112aa0 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml
@@ -5,380 +5,471 @@
         look like:
     </para>
     <para>
-<programlisting><![CDATA[{
-  "realm" : "demo",
-  "resource" : "customer-portal",
-  "realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB",
-  "auth-server-url" : "https://localhost:8443/auth",
-  "ssl-required" : "external",
-  "use-resource-role-mappings" : false,
-  "enable-cors" : true,
-  "cors-max-age" : 1000,
-  "cors-allowed-methods" : "POST, PUT, DELETE, GET",
-  "bearer-only" : false,
-  "enable-basic-auth" : false,
-  "expose-token" : true,
-   "credentials" : {
-      "secret" : "234234-234234-234234"
-   },
+<programlisting><![CDATA[
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8081/sales-post-sig/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <Keys>
+            <Key signing="true" >
+                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                    <PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
+                    <Certificate alias="http://localhost:8080/sales-post-sig/"/>
+                </KeyStore>
+            </Key>
+        </Keys>
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleMapping>
+            <Attribute name="Role"/>
+        </RoleMapping>
+        <IDP entityID="idp"
+             signaturesRequired="true">
+        <SingleSignOnService requestBinding="POST"
+                             bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
 
-   "connection-pool-size" : 20,
-   "disable-trust-manager": false,
-   "allow-any-hostname" : false,
-   "truststore" : "path/to/truststore.jks",
-   "truststore-password" : "geheim",
-   "client-keystore" : "path/to/client-keystore.jks",
-   "client-keystore-password" : "geheim",
-   "client-key-password" : "geheim"
-}]]>
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+            <Keys>
+                <Key signing="true">
+                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                        <Certificate alias="demo"/>
+                    </KeyStore>
+                </Key>
+            </Keys>
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>]]>
 
 </programlisting>
     </para>
     <para>
         Some of these configuration switches may be adapter specific and some are common across all adapters.
         For Java adapters you can use <literal>${...}</literal> enclosure as System property replacement.
-        For example <literal>${jboss.server.config.dir}</literal>.  Also, you can obtain a template
-        for this config file from the admin console.  Go to the realm and select the application you want a template for.
-        Go to the <literal>Installation</literal> tab and this will provide you with a template that includes
-        the public key of the realm.
+        For example <literal>${jboss.server.config.dir}</literal>.
     </para>
+    <section>
+        <title>SP Element</title>
+        <para>
+            Here is the explanation of the SP element attributes
+        </para>
+        <para><![CDATA[
+<SP entityID="sp"
+    sslPolicy="ssl"
+    nameIDPolicyFormat="format"
+    forceAuthentication="true">
+...
+</SP>]]></para>
+        <para>
+            <variablelist>
+                <varlistentry>
+                    <term>entityID</term>
+                    <listitem>
+                        <para>
+                            This is the identifier for this client.  The IDP needs this value to determine
+                            who the client is that is communicating with it.
+                            <emphasis>REQUIRED.</emphasis>
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>sslPolicy</term>
+                    <listitem>
+                        <para>
+                            This is the SSL policy the adapter will enforce.  Valid values are:
+                            ALL, EXTERNAL, and NONE.  For ALL, all requests must come in via HTTPS.  For
+                            EXTERNAL, only non-private IP addresses must come over the wire via HTTPS.  For
+                            NONE, no requests are required to come over via HTTPS.  This is
+                            <emphasis>OPTIONAL.</emphasis> and defaults to EXTERNAL.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>nameIDPolicyFormat</term>
+                    <listitem>
+                        <para>
+                            SAML clients can request a specific NameID Subject format.  Fill in this value
+                            if you want a specific format.  It must be a standard SAML format identifier, i.e.
+                            <literal>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</literal>
+                            <emphasis>OPTIONAL.</emphasis>.  By default, no special format is requested.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>forceAuthentication</term>
+                    <listitem>
+                        <para>
+                            SAML clients can request that a user is re-authenticated even if
+                            they are already logged in at the IDP.  Set this to true if you
+                            want this.
+                            <emphasis>OPTIONAL.</emphasis>.  Set to <literal>false</literal> by default.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+    </section>
+    <section id="sp_keys">
+        <title>SP Keys and Key elements</title>
+        <para>
+            If the IDP requires that the SP sign all of its requests and/or if the IDP will
+            encrypt assertions, you must define the keys used to do this.  For client signed
+            documents you must define both the private and public key or certificate that will
+            be used to sign documents.  For encryption, you only have to define the private key
+            that will be used to decrypt.
+        </para>
+        <para>
+            There are two ways to describe your keys.  Either they are stored within a Java KeyStore
+            or you can cut and paste the keys directly within <literal>keycloak-saml.xml</literal>
+            in the PEM format.
+        </para>
+        <para><![CDATA[
+        <Keys>
+            <Key signing="true" >
+                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                    <PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
+                    <Certificate alias="http://localhost:8080/sales-post-sig/"/>
+                </KeyStore>
+            </Key>
+        </Keys>
+]]>
+        </para>
+        <para>
+            The <literal>Key</literal> element has two optional attributes <literal>signing</literal>
+            and <literal>encryption</literal>.  When set to true these tell the adapter what the
+            key will be used for.  If both attributes are set to true, then the key will be used for both
+            signing documents and decrypting encrypted assertions.  You must set at least one of these
+            attributes to true.
+        </para>
+        <section id="keystore">
+            <title>KeyStore element</title>
+            <para>
+                <variablelist>
+                    <varlistentry>
+                        <term>file</term>
+                        <listitem>
+                            <para>
+                                File path to the key store.
+                                <emphasis>OPTIONAL.</emphasis>  The file or resource attribute
+                                must be set.
+                            </para>
+                        </listitem>
+                    </varlistentry>
+                    <varlistentry>
+                        <term>resource</term>
+                        <listitem>
+                            <para>
+                                WAR resource path to the KeyStore.  This is a path used in method call to ServletContext.getResourceAsStream().
+                                <emphasis>OPTIONAL.</emphasis>  The file or resource attribute
+                                must be set.
+                            </para>
+                        </listitem>
+                    </varlistentry>
+                    <varlistentry>
+                        <term>password</term>
+                        <listitem>
+                            <para>
+                                The password of the KeyStore
+                                <emphasis>REQUIRED.</emphasis>
+                            </para>
+                        </listitem>
+                    </varlistentry>
+                </variablelist>
+
+            </para>
+            <para>
+                You can and must also specify references to your private keys and certificates within
+                the Java KeyStore.  The <literal>PrivateKey</literal> and <literal>Certificate</literal>
+                elements do this.  The <literal>alias</literal> attribute defines the alias within the
+                KeyStore for the key.  For <literal>PrivateKey</literal>, a password is required to access this key
+                specify that value in the <literal>password</literal> attribute.
+            </para>
+        </section>
+        <section id="key_pems">
+            <title>Key PEMS</title>
+            <para>
+                Within the <literal>Key</literal> element you alternatively declare your keys and certificates
+                directly using the sub elements <literal>PrivateKeyPem</literal>, <literal>PublicKeyPem</literal>, and
+                <literal>CertificatePem</literal>.  The values contained in these elements must conform to the
+                PEM key format.  You usually use this option if you are generating keys using <literal>openssl</literal>
+            </para>
+        </section>
+    </section>
+    <section>
+        <title>SP PrincipalNameMapping element</title>
+        <para>
+            This element is optional.  When creating a Java Principal object that you obtain from
+            methods like HttpServletRequest.getUserPrincipal(), you can define what name that is returned
+            by the Principal.getName() method.  The <literal>policy</literal> attribute defines the
+            policy used to populate this value.  The values are <literal>FROM_NAME_ID</literal>.  This policy
+            just grabs whatever the SAML subject value is.  The other is <literal>FROM_ATTRIBUTE</literal>.  This will
+            pull the value of Principal.getName() from one of the attributes in the SAML assertion received from the server.
+            The default value is <literal>FROM_NAME_ID</literal>.
+        </para>
+    </section>
+    <section>
+        <title>RoleIdentifiers element</title>
+        <para><![CDATA[
+<RoleIdentifiers>
+     <Attribute name="Role"/>
+     <Attribute name="member"/>
+     <Attribute name="memberOf"/>
+</RoleIdentifiers>
+]]></para>
+        <para>
+            This element is optional.  It defines which SAML attribute values in the assertion should be
+            mapped to a Java EE role.  By default <literal>Role</literal> attribute values are converted
+            to Java EE roles.  Some IDPs send roles via a <literal>member</literal> or <literal>memberOf</literal>
+            attribute assertion.  You define one or more <literal>Attribute</literal> elements to specify
+            which SAML attributes must be converted into roles.
+        </para>
+    </section>
+    <section>
+        <title>IDP Element</title>
+        <para>
+            Everything in the IDP element describes the settings for the IDP the SP is communicating
+            with.
+        </para>
+        <para>
+<![CDATA[
+<IDP entityID="idp"
+     signaturesRequired="true"
+     signatureAlgorithm="RSA_SHA1"
+     signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
+...
+</IDP>]]>
+        </para>
+        <para>
+            <variablelist>
+                <varlistentry>
+                    <term>entityID</term>
+                    <listitem>
+                        <para>
+                            This is the issuer ID of the IDP.
+                            <emphasis>REQUIRED.</emphasis>.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>signaturesRequired</term>
+                    <listitem>
+                        <para>
+                            If set to true, the client adapter will sign every document
+                            it sends to the IDP.  Also, the client will expect that the IDP
+                            will be signing an documents sent to it.  This switch sets
+                            the default for all request and response types, but you will see
+                            later that you have some fine grain control over this.
+                            <emphasis>OPTIONAL.</emphasis>
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>signatureAlgorithm</term>
+                    <listitem>
+                        <para>
+                            This is the signature algorithm that the IDP expects signed documents
+                            to use
+                            <emphasis>OPTIONAL.</emphasis>.  The default value is RSA_SHA1, but
+                            you can also use RSA_256, RSA_512, and DSA_SHA1.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>signatureCanonicalizationMethod</term>
+                    <listitem>
+                        <para>
+                            This is the signature canonicalization method that the IDP expects signed documents
+                            to use
+                            <emphasis>OPTIONAL.</emphasis>.  The default value is <literal>http://www.w3.org/2001/10/xml-exc-c14n#</literal>
+                            and should be good for most IDPs.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+    </section>
+    <section>
+        <title>IDP SingleSignOnService sub element</title>
+        <para>
+            The <literal>SignleSignOnService</literal> sub element defines the
+            login SAML endpoint of the IDP.
+        </para>
+        <para><![CDATA[
+<SingleSignOnService signRequest="true"
+                     validateResponseSignature="true"
+                     requestBinding="post"
+                     bindingUrl="url"/>
+]]></para>
+        <para>
+            <variablelist>
+                <varlistentry>
+                    <term>signRequest</term>
+                    <listitem>
+                        <para>
+                            Should the client sign authn requests?
+                            <emphasis>OPTIONAL.</emphasis>.  Defaults to whatever the
+                            IDP <literal>signaturesRequired</literal> element value is.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>validateResponseSignature</term>
+                    <listitem>
+                        <para>
+                            Should the client expect the IDP to sign the assertion response document
+                            sent back from an auhtn request?
+                            <emphasis>OPTIONAL.</emphasis> Defaults to whatever the
+                            IDP <literal>signaturesRequired</literal> element value is.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>requestBinding</term>
+                    <listitem>
+                        <para>
+                            This is the SAML binding type used for communicating with the IDP
+                            <emphasis>OPTIONAL.</emphasis>.  The default value is POST, but
+                            you can set it to REDIRECT as well.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>responseBinding</term>
+                    <listitem>
+                        <para>
+                            SAML allows the client to request what binding type it wants authn responses
+                            to use.  The values of this can be POST or REDIRECT
+                            <emphasis>OPTIONAL.</emphasis>.  The default is that the client will not request
+                            a specific binding type for responses.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>bindingUrl</term>
+                    <listitem>
+                        <para>
+                            This is the URL for the ID login service that the client will send requests to.
+                            <emphasis>REQUIRED.</emphasis>.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+    </section>    <section>
+    <title>IDP SingleSignOnService sub element</title>
     <para>
-        Here is a description of each item:
+        The <literal>SignleSignOnService</literal> sub element defines the
+        login SAML endpoint of the IDP.
     </para>
+    <para><![CDATA[
+<SingleLogoutService validateRequestSignature="true"
+                     validateResponseSignature="true"
+                     signRequest="true"
+                     signResponse="true"
+                     requestBinding="redirect"
+                     responseBinding="post"
+                     postBindingUrl="posturl"
+                     redirectBindingUrl="redirecturl">
+]]></para>
     <para>
         <variablelist>
             <varlistentry>
-                <term>realm</term>
-                <listitem>
-                    <para>
-                        Name of the realm representing the users of your distributed applications and services.
-                        This is
-                        <emphasis>REQUIRED.</emphasis>
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>resource</term>
-                <listitem>
-                    <para>
-                        Username of the application. Each application has a username that is used when the
-                        application connects with the Keycloak server to turn an access code into an access token
-                        (part of the OAuth 2.0 protocol). This is
-                        <emphasis>REQUIRED.</emphasis>
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>realm-public-key</term>
-                <listitem>
-                    <para>
-                        PEM format of public key. You can obtain this from the administration console.
-                        This is
-                        <emphasis>REQUIRED.</emphasis>
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>auth-server-url</term>
-                <listitem>
-                    <para>
-                        The base URL of the Keycloak Server.  All other Keycloak pages and REST services are derived
-                        from this.  It is usually of the form <literal>https://host:port/auth</literal>
-                        This is
-                        <emphasis>REQUIRED.</emphasis>
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>ssl-required</term>
-                <listitem>
-                    <para>
-                        Ensures that all communication to and from the Keycloak server from the adapter is over HTTPS.
-                        This is <emphasis>OPTIONAL</emphasis>. The default value is
-                        <emphasis>external</emphasis>
-                        meaning that HTTPS is required by default for external requests. Valid values are 'all', 'external'
-                        and 'none'.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>use-resource-role-mappings</term>
-                <listitem>
-                    <para>
-                        If set to true, the adapter will look inside the token for application level role mappings for
-                        the
-                        user. If false, it will look at the realm level for user role mappings.
-                        This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>public-client</term>
-                <listitem>
-                    <para>
-                        If set to true, the adapter will not send credentials for the client to Keycloak.
-                        The default value is <emphasis>false</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>enable-cors</term>
-                <listitem>
-                    <para>
-                        This enables CORS support. It will handle CORS preflight requests. It will also look into
-                        the access token to determine valid origins.
-                        This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>cors-max-age</term>
-                <listitem>
-                    <para>
-                        If CORS is enabled, this sets the value of the
-                        <literal>Access-Control-Max-Age</literal>
-                        header.
-                        This is <emphasis>OPTIONAL</emphasis>. If not set, this header is not returned in CORS
-                        responses.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>cors-allowed-methods</term>
-                <listitem>
-                    <para>
-                        If CORS is enabled, this sets the value of the
-                        <literal>Access-Control-Allow-Methods</literal>
-                        header. This should be a comma-separated string.
-                        This is <emphasis>OPTIONAL</emphasis>. If not set, this header is not returned in CORS
-                        responses.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>cors-allowed-headers</term>
-                <listitem>
-                    <para>
-                        If CORS is enabled, this sets the value of the
-                        <literal>Access-Control-Allow-Headers</literal>
-                        header. This should be a comma-separated string.
-                        This is <emphasis>OPTIONAL</emphasis>. If not set, this header is not returned in CORS
-                        responses.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>bearer-only</term>
-                <listitem>
-                    <para>
-                        This tells the adapter to only do bearer token authentication. That is, it will not do
-                        OAuth 2.0 redirects, but only accept bearer tokens through the
-                        <literal>Authorization</literal>
-                        header.
-                        This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>enable-basic-auth</term>
-                <listitem>
-                    <para>
-                        This tells the adapter to also support basic authentication. If this option is enabled,
-                        then <emphasis>secret</emphasis> must also be provided.
-                        This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>expose-token</term>
-                <listitem>
-                    <para>
-                        If <literal>true</literal>, an authenticated browser client (via a Javascript HTTP invocation)
-                        can obtain the signed access token via the URL <literal>root/k_query_bearer_token</literal>.
-                        This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>credentials</term>
-                <listitem>
-                    <para>
-                        Specify the credentials of the application. This is an object notation where the key
-                        is the credential type and the value is the value of the credential type. Currently only
-                        <literal>password</literal>
-                        is supported.
-                        This is <emphasis>REQUIRED</emphasis>.
-                    </para>
-                </listitem>
-            </varlistentry>
-
-            <varlistentry>
-                <term>connection-pool-size</term>
-                <listitem>
-                    <para>
-                        Adapters will make separate HTTP invocations to the Keycloak Server to turn an access code
-                        into an access token.  This config option defines how many connections to the Keycloak Server
-                        should be pooled.
-                        This is <emphasis>OPTIONAL</emphasis>.  The default value is <literal>20</literal>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>disable-trust-manager</term>
-                <listitem>
-                    <para>
-                        If the Keycloak Server requires HTTPS and this config option is set to <literal>true</literal>
-                        you do not have to specify a truststore.  While convenient,  this setting is not recommended
-                        as you will not be verifying the host name of the Keycloak Server.
-                        This is <emphasis>OPTIONAL</emphasis>.  The default value is <literal>false</literal>.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>allow-any-hostname</term>
+                <term>signRequest</term>
                 <listitem>
                     <para>
-                        If the Keycloak Server requires HTTPS and this config option is set to <literal>true</literal>
-                        the Keycloak Server's certificate is validated via the truststore, but host name validation is
-                        not done.  This is not a recommended.  This seting may be useful in test environments
-                        This is <emphasis>OPTIONAL</emphasis>.  The default value is <literal>false</literal>.
+                        Should the client sign logout requests it makes to the IDP?
+                        <emphasis>OPTIONAL.</emphasis>.  Defaults to whatever the
+                        IDP <literal>signaturesRequired</literal> element value is.
                     </para>
                 </listitem>
             </varlistentry>
-
             <varlistentry>
-                <term>truststore</term>
+                <term>signResponse</term>
                 <listitem>
                     <para>
-                        This setting is for Java adapters. The value is the file path to a Java keystore file.  If
-                        you prefix the path with <literal>classpath:</literal>, then the truststore will be obtained
-                        from the deployment's classpath instead.
-                        Used for outgoing HTTPS communications to the Keycloak server. Client making HTTPS
-                        requests need a way to verify the host of the server they are talking to. This is
-                        what the trustore does. The keystore contains one or more trusted
-                        host certificates or certificate authorities. You can
-                        create this truststore by extracting the public certificate of the Keycloak server's SSL
-                        keystore.
-                        This is
-                        <emphasis>OPTIONAL</emphasis>
-                        if
-                        <literal>ssl-required</literal>
-                        is
-                        <literal>none</literal>
-                        or
-                        <literal>disable-trust-manager</literal>
-                        is <literal>true</literal>.
+                        Should the client sign logout responses it sends to the IDP requests?
+                        <emphasis>OPTIONAL.</emphasis>.  Defaults to whatever the
+                        IDP <literal>signaturesRequired</literal> element value is.
                     </para>
                 </listitem>
             </varlistentry>
             <varlistentry>
-                <term>truststore-password</term>
+                <term>validateRequestSignature</term>
                 <listitem>
                     <para>
-                        Password for the truststore keystore.
-                        This is
-                        <emphasis>REQUIRED</emphasis>
-                        if
-                        <literal>truststore</literal>
-                        is set.
+                        Should the client expect signed logout request documents from the IDP?
+                        <emphasis>OPTIONAL.</emphasis> Defaults to whatever the
+                        IDP <literal>signaturesRequired</literal> element value is.
                     </para>
                 </listitem>
             </varlistentry>
             <varlistentry>
-                <term>client-keystore</term>
+                <term>validateResponseSignature</term>
                 <listitem>
                     <para>
-                        <emphasis>Not supported yet, but we will support in future versions.</emphasis>
-
-                        This setting is for Java adapters. This is the file path to a Java keystore file.
-                        This keystore contains client certificate for two-way SSL when the adapter makes
-                        HTTPS requests to the Keycloak server.
-                        This is <emphasis>OPTIONAL</emphasis>.
+                        Should the client expect signed logout response documents from the IDP?
+                        <emphasis>OPTIONAL.</emphasis> Defaults to whatever the
+                        IDP <literal>signaturesRequired</literal> element value is.
                     </para>
                 </listitem>
             </varlistentry>
             <varlistentry>
-                <term>client-keystore-password</term>
+                <term>requestBinding</term>
                 <listitem>
                     <para>
-                        <emphasis>Not supported yet, but we will support in future versions.</emphasis>
-                        Password for the client keystore.
-                        This is
-                        <emphasis>REQUIRED</emphasis>
-                        if
-                        <literal>client-keystore</literal>
-                        is set.
+                        This is the SAML binding type used for communicating SAML requests to the IDP
+                        <emphasis>OPTIONAL.</emphasis>.  The default value is POST, but
+                        you can set it to REDIRECT as well.
                     </para>
                 </listitem>
             </varlistentry>
             <varlistentry>
-                <term>client-key-password</term>
+                <term>responseBinding</term>
                 <listitem>
                     <para>
-                        <emphasis>Not supported yet, but we will support in future versions.</emphasis>
-                        Password for the client's key.
-                        This is
-                        <emphasis>REQUIRED</emphasis>
-                        if
-                        <literal>client-keystore</literal>
-                        is set.
+                        This is the SAML binding type used for communicating SAML responses to the IDP
+                        The values of this can be POST or REDIRECT
+                        <emphasis>OPTIONAL.</emphasis>.  The default value is POST, but
+                        you can set it to REDIRECT as well.
                     </para>
                 </listitem>
             </varlistentry>
             <varlistentry>
-                <term>auth-server-url-for-backend-requests</term>
+                <term>postBindingUrl</term>
                 <listitem>
                     <para>
-                        Alternative location of auth-server-url used just for backend requests. It must be absolute URI. Useful
-                        especially in cluster (see <link linkend="relative-uri-optimization">Relative URI Optimization</link>) or if you would like to use <emphasis>https</emphasis> for browser requests
-                        but stick with <emphasis>http</emphasis> for backend requests etc.
+                        This is the URL for the IDP's logout service when using the POST binding.
+                        <emphasis>REQUIRED</emphasis> if using the POST binding at all.
                     </para>
                 </listitem>
             </varlistentry>
             <varlistentry>
-                <term>always-refresh-token</term>
+                <term>redirectBindingUrl</term>
                 <listitem>
                     <para>
-                        If <emphasis>true</emphasis>, Keycloak will refresh token in every request. More info in <link linkend="refresh-token-each-req">Refresh token in each request</link> .
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>register-node-at-startup</term>
-                <listitem>
-                    <para>
-                        If <emphasis>true</emphasis>, then adapter will send registration request to Keycloak. It's <emphasis>false</emphasis>
-                        by default and useful just in cluster (See <link linkend="registration-app-nodes">Registration of application nodes to Keycloak</link>)
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>register-node-period</term>
-                <listitem>
-                    <para>
-                        Period for re-registration adapter to Keycloak. Useful in cluster. See <link linkend="registration-app-nodes">Registration of application nodes to Keycloak</link> for details.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>token-store</term>
-                <listitem>
-                    <para>
-                        Possible values are <emphasis>session</emphasis> and <emphasis>cookie</emphasis>. Default is <emphasis>session</emphasis>,
-                        which means that adapter stores account info in HTTP Session. Alternative <emphasis>cookie</emphasis> means storage of info in cookie.
-                        See <link linkend="stateless-token-store">Stateless token store</link> for details.
-                    </para>
-                </listitem>
-            </varlistentry>
-            <varlistentry>
-                <term>principal-attribute</term>
-                <listitem>
-                    <para>
-                        OpenID Connection ID Token attribute to populate the UserPrincipal name with.  If token attribute is null, defaults to <literal>sub</literal>.
-                        Possible values are <literal>sub</literal>, <literal>preferred_username</literal>, <literal>email</literal>, <literal>name</literal>, <literal>nickname</literal>, <literal>given_name</literal>, <literal>family_name</literal>.
+                        This is the URL for the IDP's logout service when using the REDIRECT binding.
+                        <emphasis>REQUIRED</emphasis> if using the REDIRECT binding at all.
                     </para>
                 </listitem>
             </varlistentry>
         </variablelist>
     </para>
+</section>
+    <section>
+        <title>IDP Keys subelement</title>
+        <para>
+            The Keys sub element of IDP is only used to define the certificate or
+            public key to use to verify documents signed by the IDP.  It is defined
+            in the same way as the <link linkend="sp_keys">SP's Key's element</link>.  But
+            again, you only have to define one certificate or public key reference.
+        </para>
+
+    </section>
+
 </chapter>

examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keycloak-saml.xml b/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keycloak-saml.xml
index c3132e2..a094acf 100755
--- a/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keycloak-saml.xml
+++ b/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml b/examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml
index 875d52c..d098103 100755
--- a/examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml
+++ b/examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml b/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml
index b658234..34ee414 100755
--- a/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml
+++ b/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

pom.xml 42(+42 -0)

diff --git a/pom.xml b/pom.xml
index 9451aab..1ad5e1a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -1271,6 +1271,48 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-tomcat6-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-tomcat7-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-tomcat8-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-jetty81-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-jetty92-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-as7-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-saml-eap6-adapter-dist</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
                 <artifactId>keycloak-testsuite-integration</artifactId>
                 <version>${project.version}</version>
             </dependency>

saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java 34(+17 -17)

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java
index fc08e44..d1aaea9 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IDPXmlParser.java
@@ -24,16 +24,16 @@ public class IDPXmlParser extends AbstractParser {
         StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
         StaxParserUtil.validate(startElement, ConfigXmlConstants.IDP_ELEMENT);
         IDP idp = new IDP();
-        String entityID = StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
+        String entityID = SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
         if (entityID == null) {
             throw new ParsingException("entityID must be set on IDP");
 
         }
         idp.setEntityID(entityID);
 
-        boolean signaturesRequired = StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNATURES_REQUIRED_ATTR);
-        idp.setSignatureCanonicalizationMethod(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
-        idp.setSignatureAlgorithm(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR));
+        boolean signaturesRequired = SPXmlParser.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNATURES_REQUIRED_ATTR);
+        idp.setSignatureCanonicalizationMethod(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
+        idp.setSignatureAlgorithm(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR));
         while (xmlEventReader.hasNext()) {
             XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
             if (xmlEvent == null)
@@ -73,25 +73,25 @@ public class IDPXmlParser extends AbstractParser {
     protected IDP.SingleLogoutService parseSingleLogoutService(XMLEventReader xmlEventReader, boolean signaturesRequired) throws ParsingException {
         IDP.SingleLogoutService slo = new IDP.SingleLogoutService();
         StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-        slo.setSignRequest(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
-        slo.setValidateResponseSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
-        slo.setValidateRequestSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_REQUEST_SIGNATURE_ATTR, signaturesRequired));
-        slo.setRequestBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
-        slo.setResponseBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
-        slo.setSignResponse(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_RESPONSE_ATTR, signaturesRequired));
-        slo.setPostBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.POST_BINDING_URL_ATTR));
-        slo.setRedirectBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REDIRECT_BINDING_URL_ATTR));
+        slo.setSignRequest(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
+        slo.setValidateResponseSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
+        slo.setValidateRequestSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_REQUEST_SIGNATURE_ATTR, signaturesRequired));
+        slo.setRequestBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
+        slo.setResponseBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
+        slo.setSignResponse(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_RESPONSE_ATTR, signaturesRequired));
+        slo.setPostBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.POST_BINDING_URL_ATTR));
+        slo.setRedirectBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REDIRECT_BINDING_URL_ATTR));
         return slo;
     }
 
     protected IDP.SingleSignOnService parseSingleSignOnService(XMLEventReader xmlEventReader, boolean signaturesRequired) throws ParsingException {
         IDP.SingleSignOnService sso = new IDP.SingleSignOnService();
         StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-        sso.setSignRequest(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
-        sso.setValidateResponseSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
-        sso.setRequestBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
-        sso.setResponseBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
-        sso.setBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
+        sso.setSignRequest(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
+        sso.setValidateResponseSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
+        sso.setRequestBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
+        sso.setResponseBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
+        sso.setBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
         return sso;
     }

saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeyXmlParser.java 28(+13 -15)

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeyXmlParser.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeyXmlParser.java
index 6fbd8d0..0308a56 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeyXmlParser.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeyXmlParser.java
@@ -7,8 +7,6 @@ import org.keycloak.saml.common.util.StaxParserUtil;
 
 import javax.xml.namespace.QName;
 import javax.xml.stream.XMLEventReader;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.events.Characters;
 import javax.xml.stream.events.EndElement;
 import javax.xml.stream.events.StartElement;
 import javax.xml.stream.events.XMLEvent;
@@ -24,8 +22,8 @@ public class KeyXmlParser extends AbstractParser {
         StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
         StaxParserUtil.validate(startElement, ConfigXmlConstants.KEY_ELEMENT);
         Key key = new Key();
-        key.setSigning(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNING_ATTR));
-        key.setEncryption(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.ENCRYPTION_ATTR));
+        key.setSigning(SPXmlParser.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNING_ATTR));
+        key.setEncryption(SPXmlParser.getBooleanAttributeValue(startElement, ConfigXmlConstants.ENCRYPTION_ATTR));
         while (xmlEventReader.hasNext()) {
             XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
             if (xmlEvent == null)
@@ -46,13 +44,13 @@ public class KeyXmlParser extends AbstractParser {
                 key.setKeystore(parseKeyStore(xmlEventReader));
             } else if (tag.equals(ConfigXmlConstants.CERTIFICATE_PEM_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                key.setCertificatePem(StaxParserUtil.getElementText(xmlEventReader));
+                key.setCertificatePem(SPXmlParser.getElementText(xmlEventReader));
             } else if (tag.equals(ConfigXmlConstants.PUBLIC_KEY_PEM_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                key.setPublicKeyPem(StaxParserUtil.getElementText(xmlEventReader));
+                key.setPublicKeyPem(SPXmlParser.getElementText(xmlEventReader));
             } else if (tag.equals(ConfigXmlConstants.PRIVATE_KEY_PEM_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                key.setPrivateKeyPem(StaxParserUtil.getElementText(xmlEventReader));
+                key.setPrivateKeyPem(SPXmlParser.getElementText(xmlEventReader));
             } else {
                 StaxParserUtil.bypassElementBlock(xmlEventReader, tag);
             }
@@ -65,14 +63,14 @@ public class KeyXmlParser extends AbstractParser {
         StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
         StaxParserUtil.validate(startElement, ConfigXmlConstants.KEYS_STORE_ELEMENT);
         Key.KeyStoreConfig keyStore = new Key.KeyStoreConfig();
-        keyStore.setType(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.TYPE_ATTR));
-        keyStore.setAlias(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.ALIAS_ATTR));
-        keyStore.setFile(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.FILE_ATTR));
-        keyStore.setResource(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.RESOURCE_ATTR));
+        keyStore.setType(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.TYPE_ATTR));
+        keyStore.setAlias(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.ALIAS_ATTR));
+        keyStore.setFile(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.FILE_ATTR));
+        keyStore.setResource(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.RESOURCE_ATTR));
         if (keyStore.getFile() == null && keyStore.getResource() == null) {
             throw new ParsingException("KeyStore element must have the url or classpath attribute set");
         }
-        keyStore.setPassword(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.PASSWORD_ATTR));
+        keyStore.setPassword(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.PASSWORD_ATTR));
         if (keyStore.getPassword() == null) {
             throw new ParsingException("KeyStore element must have the password attribute set");
         }
@@ -97,19 +95,19 @@ public class KeyXmlParser extends AbstractParser {
             String tag = StaxParserUtil.getStartElementName(startElement);
             if (tag.equals(ConfigXmlConstants.CERTIFICATE_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                keyStore.setCertificateAlias(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
+                keyStore.setCertificateAlias(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
                 if (keyStore.getCertificateAlias() == null) {
                     throw new ParsingException("KeyStore Certificate element must have the alias attribute set");
 
                 }
             } else if (tag.equals(ConfigXmlConstants.PRIVATE_KEY_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                keyStore.setPrivateKeyAlias(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
+                keyStore.setPrivateKeyAlias(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
                 if (keyStore.getPrivateKeyAlias() == null) {
                     throw new ParsingException("KeyStore PrivateKey element must have the alias attribute set");
 
                 }
-                keyStore.setPrivateKeyPassword(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.PASSWORD_ATTR));
+                keyStore.setPrivateKeyPassword(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.PASSWORD_ATTR));
                 if (keyStore.getPrivateKeyPassword() == null) {
                     throw new ParsingException("KeyStore PrivateKey element must have the password attribute set");

saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java 41(+33 -8)

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java
index f010470..34b924d 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java
@@ -6,9 +6,11 @@ import org.keycloak.adapters.saml.config.SP;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.parsers.AbstractParser;
 import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.util.StringPropertyReplacer;
 
 import javax.xml.namespace.QName;
 import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
 import javax.xml.stream.events.EndElement;
 import javax.xml.stream.events.StartElement;
 import javax.xml.stream.events.XMLEvent;
@@ -23,21 +25,44 @@ import java.util.Set;
  */
 public class SPXmlParser extends AbstractParser {
 
+    public static String getAttributeValue(StartElement startElement, String tag) {
+        String str = StaxParserUtil.getAttributeValue(startElement, tag);
+        if (str != null) return StringPropertyReplacer.replaceProperties(str);
+        else return str;
+    }
+
+    public static boolean getBooleanAttributeValue(StartElement startElement, String tag, boolean defaultValue) {
+        String result = getAttributeValue(startElement, tag);
+        if (result == null) return defaultValue;
+        return Boolean.valueOf(result);
+    }
+
+    public static boolean getBooleanAttributeValue(StartElement startElement, String tag) {
+        return getBooleanAttributeValue(startElement, tag, false);
+    }
+
+    public static String getElementText(XMLEventReader xmlEventReader) throws ParsingException {
+        String result = StaxParserUtil.getElementText(xmlEventReader);
+        if (result != null) result = StringPropertyReplacer.replaceProperties(result);
+        return result;
+    }
+
+
     @Override
     public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
         StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
         StaxParserUtil.validate(startElement, ConfigXmlConstants.SP_ELEMENT);
         SP sp = new SP();
-        String entityID = StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
+        String entityID = getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
         if (entityID == null) {
             throw new ParsingException("entityID must be set on SP");
 
         }
         sp.setEntityID(entityID);
-        sp.setSslPolicy(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SSL_POLICY_ATTR));
-        sp.setLogoutPage(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.LOGOUT_PAGE_ATTR));
-        sp.setNameIDPolicyFormat(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.NAME_ID_POLICY_FORMAT_ATTR));
-        sp.setForceAuthentication(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.FORCE_AUTHENTICATION_ATTR));
+        sp.setSslPolicy(getAttributeValue(startElement, ConfigXmlConstants.SSL_POLICY_ATTR));
+        sp.setLogoutPage(getAttributeValue(startElement, ConfigXmlConstants.LOGOUT_PAGE_ATTR));
+        sp.setNameIDPolicyFormat(getAttributeValue(startElement, ConfigXmlConstants.NAME_ID_POLICY_FORMAT_ATTR));
+        sp.setForceAuthentication(getBooleanAttributeValue(startElement, ConfigXmlConstants.FORCE_AUTHENTICATION_ATTR));
         while (xmlEventReader.hasNext()) {
             XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
             if (xmlEvent == null)
@@ -60,12 +85,12 @@ public class SPXmlParser extends AbstractParser {
                 sp.setKeys(keys);
             } else if (tag.equals(ConfigXmlConstants.PRINCIPAL_NAME_MAPPING_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                String policy = StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.POLICY_ATTR);
+                String policy = getAttributeValue(element, ConfigXmlConstants.POLICY_ATTR);
                 if (policy == null) {
                     throw new ParsingException("PrincipalNameMapping element must have the policy attribute set");
 
                 }
-                String attribute = StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.ATTRIBUTE_ATTR);
+                String attribute = getAttributeValue(element, ConfigXmlConstants.ATTRIBUTE_ATTR);
                 SP.PrincipalNameMapping mapping = new SP.PrincipalNameMapping();
                 mapping.setPolicy(policy);
                 mapping.setAttributeName(attribute);
@@ -107,7 +132,7 @@ public class SPXmlParser extends AbstractParser {
             String tag = StaxParserUtil.getStartElementName(startElement);
             if (tag.equals(ConfigXmlConstants.ATTRIBUTE_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
-                String attributeValue = StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.NAME_ATTR);
+                String attributeValue = getAttributeValue(element, ConfigXmlConstants.NAME_ATTR);
                 if (attributeValue == null) {
                     throw new ParsingException("RoleMapping Attribute element must have the name attribute set");

saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java 3(+1 -2)

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
index 681e405..258f14b 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
@@ -67,8 +67,7 @@ public interface SamlDeployment {
 
     enum PrincipalNamePolicy {
         FROM_NAME_ID,
-        FROM_ATTRIBUTE_NAME,
-        FROM_FRIENDLY_ATTRIBUTE_NAME
+        FROM_ATTRIBUTE
     }
     PrincipalNamePolicy getPrincipalNamePolicy();
     String getPrincipalAttributeName();

saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd 4(+2 -2)

diff --git a/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd b/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
index b9e0799..534c9ae 100755
--- a/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
+++ b/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
@@ -25,7 +25,7 @@
         <xs:all>
             <xs:element name="Keys" type="keys-type" minOccurs="0" maxOccurs="1"/>
             <xs:element name="PrincipalNameMapping" type="principal-name-mapping-type" minOccurs="0" maxOccurs="1"/>
-            <xs:element name="RoleMapping" type="role-mapping-type" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="RoleIdentifiers" type="role-identifiers-type" minOccurs="0" maxOccurs="1"/>
             <xs:element name="IDP" type="idp-type" minOccurs="1" maxOccurs="1"/>
         </xs:all>
         <xs:attribute name="entityID" type="xs:string" use="required"/>
@@ -70,7 +70,7 @@
         <xs:attribute name="policy" type="xs:string" use="required"/>
         <xs:attribute name="attribute" type="xs:string" use="optional"/>
     </xs:complexType>
-    <xs:complexType name="role-mapping-type">
+    <xs:complexType name="role-identifiers-type">
         <xs:choice minOccurs="0" maxOccurs="unbounded">
             <xs:element name="Attribute" maxOccurs="unbounded" minOccurs="0" type="attribute-type"/>
         </xs:choice>

saml/client-adapter/core/src/test/resources/keycloak-saml.xml 4(+2 -2)

diff --git a/saml/client-adapter/core/src/test/resources/keycloak-saml.xml b/saml/client-adapter/core/src/test/resources/keycloak-saml.xml
index 5f88197..ef910dc 100755
--- a/saml/client-adapter/core/src/test/resources/keycloak-saml.xml
+++ b/saml/client-adapter/core/src/test/resources/keycloak-saml.xml
@@ -20,9 +20,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="policy" attribute="attribute"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="member"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp"
              signatureAlgorithm="RSA"
              signatureCanonicalizationMethod="canon"

testsuite/integration/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index 8460a13..e042f3c 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp"
              signaturesRequired="true">
             <SingleSignOnService requestBinding="POST"

testsuite/integration/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 2f7c581..62c1b07 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index c892ec7..c4aece9 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index caaff5c..72cf80b 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/integration/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index 51c8e0c..e268f52 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 909216d..1d06bf9 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 9a57c85..032aabf 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index 20d9348..9b66e70 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp"
              signaturesRequired="true">
         <SingleSignOnService requestBinding="POST"

testsuite/integration/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index ef9856a..5d35145 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 7bc05f6..bcdb4a7 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 5d614fa..041d364 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/integration/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/integration/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index 501e8f5..a9d22aa 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index fa1b259..9baacaf 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 8b1bf3d..cd5ff99 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index 24bfb64..d269a57 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index 4fc1dfc..6210399 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index a8d84c1..e7f205a 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 724919b..b440776 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 1ffeb1b..532d898 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index dcd6f5b..9f5d49d 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index dbb9c31..332b828 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 0415bb1..36a4435 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 4b96159..445d765 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index e831ff7..bc0995c 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index fa1b259..9baacaf 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 8b1bf3d..cd5ff99 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index 24bfb64..d269a57 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index 4fc1dfc..6210399 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index a8d84c1..e7f205a 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 724919b..b440776 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 1ffeb1b..532d898 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index dcd6f5b..9f5d49d 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index dbb9c31..332b828 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 0415bb1..36a4435 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 4b96159..445d765 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index e831ff7..bc0995c 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index fa1b259..9baacaf 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 8b1bf3d..cd5ff99 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index 24bfb64..d269a57 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index 4fc1dfc..6210399 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index a8d84c1..e7f205a 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 724919b..b440776 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 1ffeb1b..532d898 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index dcd6f5b..9f5d49d 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index dbb9c31..332b828 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 0415bb1..36a4435 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 4b96159..445d765 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index e831ff7..bc0995c 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/tomcat6/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index fa1b259..9baacaf 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 8b1bf3d..cd5ff99 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index 24bfb64..d269a57 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index 4fc1dfc..6210399 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index a8d84c1..e7f205a 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 724919b..b440776 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 1ffeb1b..532d898 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index dcd6f5b..9f5d49d 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index dbb9c31..332b828 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 0415bb1..36a4435 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 4b96159..445d765 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index e831ff7..bc0995c 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/tomcat7/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index fa1b259..9baacaf 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 8b1bf3d..cd5ff99 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index 24bfb64..d269a57 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index 4fc1dfc..6210399 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index a8d84c1..e7f205a 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 724919b..b440776 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 1ffeb1b..532d898 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index dcd6f5b..9f5d49d 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index dbb9c31..332b828 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 0415bb1..36a4435 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 4b96159..445d765 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index e831ff7..bc0995c 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/tomcat8/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
index fa1b259..9baacaf 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-client-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
index 8b1bf3d..cd5ff99 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/bad-realm-signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
index 24bfb64..d269a57 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/encrypted-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
index 4fc1dfc..6210399 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/mappers/WEB-INF/keycloak-saml.xml
@@ -5,10 +5,10 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="memberOf"/>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
index a8d84c1..e7f205a 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-front-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
index 724919b..b440776 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-get/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
index 1ffeb1b..532d898 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-metadata/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
index dcd6f5b..9f5d49d 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
index dbb9c31..332b828 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-email/WEB-INF/keycloak-saml.xml
@@ -12,9 +12,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
index 0415bb1..36a4435 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-persistent/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
index 4b96159..445d765 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/signed-post-transient/WEB-INF/keycloak-saml.xml
@@ -13,9 +13,9 @@
             </Key>
         </Keys>
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService signRequest="true"
                                  validateResponseSignature="true"

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml 4(+2 -2)

diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
index e831ff7..bc0995c 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post/WEB-INF/keycloak-saml.xml
@@ -5,9 +5,9 @@
         logoutPage="/logout.jsp"
         forceAuthentication="false">
         <PrincipalNameMapping policy="FROM_NAME_ID"/>
-        <RoleMapping>
+        <RoleIdentifiers>
             <Attribute name="Role"/>
-        </RoleMapping>
+        </RoleIdentifiers>
         <IDP entityID="idp">
             <SingleSignOnService requestBinding="POST"
                                  bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"