Identity Server can send roles in an authentication assertion. You can map these roles that are received from trusted providers to your own roles. Figure 6-4 illustrates this process.
Figure 6-4 Role Mapping
In this example, employees authenticate to identity providers example.com (Liberty) or xyz.com (SAML 2.0). Each user is assigned to a role, such as N_EmployeeRole or XYZ_Empl. Attribute sets at each of the identity providers are configured to exchange the All Roles attribute with the trusted service provider, DigitalAirlines.com. DigitalAirlines.com consumes the authentication assertions, then maps the incoming roles to local roles. The mapped roles at DigitalAirlines.com can be used as evaluated conditions in authorization policies, which can provide access to resources intended for the authenticated employees.