Cannot map openid user to roles in kibana

I am using latest 1.10.0 version for Elasticsearch and Kibana with Keycloak 11.0.0 There is no problems with OIDC user login. Problem is with mapping users to roles. If mapping made through yaml file even when there is no such internal user - everything is working (and OIDC user is in “Internal user” section of mapping). Adding OIDC user to this section through GUI is not working. Adding OIDC user as External Identity doesn’t help. Only * in section allows OIDC user to be mapped but this will map any OIDC user to the same role. What is “External Identity” for OIDC user? Where can I find this for particular OIDC user?
I already tried email, name, email/name with * around - nothing was working