Thank you for your input.
Yes, looks like I missed to point out the “,” in the “Role Name” between AWS ARNs.
Regarding correct ARN specification or any other details in configuring AWS SAML Identity Provider, one always should consult AWS documentation.
It has clear examples of how it should be configured and what information AWS expects from the Keycloak IDP.
I’ll update the images.