An external claim is a single string your identity provider hands out for each group or role a user is in. You map each value to one of your internal role names so policies can stay written against clean names (Finance, Sales) regardless of how your IdP formats the data.
oidc Keycloak / generic OIDC groups claim
Each entry in the groups array becomes a row below. Typical format is a slug.
| acme-sales-team | → | Sales |
| acme-finance-analysts | → | Finance |
| acme-platform-eng | → | Engineering |
okta Okta groups
Pulled from the groups custom claim you configure on the authorization server.
| Acme-Sales-All | → | Sales |
| Acme-HR-Admins | → | HR |
| Acme-FinOps | → | Finance |
active_directory Microsoft Entra ID (Azure AD)
By default groups come through as GUIDs. Configure group name claims to get readable values.
| a4c28f50-3d10-4cbb-9e1b-6c07d8a38a1e | → | Engineering |
| c8f91e6b-7b24-4cd9-b14a-2fcb0a1fd882 | → | Legal |
oidc Auth0 custom claim namespaces
Auth0 requires custom claims to be namespaced. The whole string is the claim value.
| https://acme.com/role=sales-rep | → | Sales |
| https://acme.com/role=hr-admin | → | HR |
At runtime: the gateway looks up the incoming claim string in this table, resolves it to your internal role, and evaluates policies against that. Unknown claims fall through unmapped — the agent's role string is used as-is.