Actions not working for SAML2 application settings (mapping) as rules

sandT · May 23, 2023, 1:59pm

We have an application using SAML2 WEBAPP Addon. for that we set our login flow with rules and everything has been working great. Now Auth0 is deprecating rules for actions so we started migrating from our Rules to Actions. During the process we created an action base of our rule but the login is not working as expected. I submitted a ticket here but was told here there is no problem with my action but the SAML2 addon setting.
From this documentation
Migrate from Rules to Actions Actions cannot modify SAML assertions or attributes like Rules can.
In my setting, The role metadata is being set for the user, so that it can be used by the SAML2 app settings “mappings”.

The mappings take the user metadata, and they put it into the SAML response using that mapping.

So for “Rules” it was working… The rule updated the user metadata, and then SAML used that metadata in the mapping.

But for Actions it does not work… the changes to user metadata do not appear to be accessible by the SAML mapping.

Please can you advice how the setting can be adjusted so it can be read by my Action?
Here is my application settings (SAML2 WEBAPP addon) working with the rule:

{
  "audience": "https://XXX.com/metadata/app",
  "mappings": {
    "rule_aw_role": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "rule_aw_account": "AppAccount"
  },
  "signingCert": "-----BEGIN CERTIFICATE-----\XXXXXXX\n-----END CERTIFICATE-----\n",
  "logout": {
    "callback": "https://XXX.com/logout",
    "slo_enabled": true
  }
}

Here is the action code I am using.

exports.onExecutePostLogin = async (event, api) => {
  const ManagementClient = require('auth0').ManagementClient;

  const management = new ManagementClient({
      domain: event.secrets.Domain,
      clientId: event.secrets.ClientID,
      clientSecret: event.secrets.ClientSecret,
  });

  management.users.getUserOrganizations({ id: event.user.user_id }, function (err, orgs) {
    if (err) {
      return api.access.deny(`An internal error (${err.statusCode}) occured. Try again later. If you have any questions, please contact your Client Success Coordinator.`);
    }

    if (!orgs || orgs.length === 0) {
      return api.access.deny("User is not assigned to an organization. If you have any questions, please contact your Client Success Coordinator.");
    }

    if (orgs.length > 1) {
      return api.access.deny("User cannot belong to multiple organizations. If you have any questions, please contact your Client Success Coordinator.");
    }

    event.user.user_metadata.rule_sx= orgs[0].metadata.org_sx;
    event.user.user_metadata.rule_ar = orgs[0].metadata.org_ar;
      
    if (orgs[0].metadata.disableMFA) {
        api.multifactor.enable("none")
    };
    
    if (orgs[0].metadata.everydayMFA) {
        api.multifactor.enable("any",{ "allowRememberBrowser": false })
    };

    if (orgs[0].metadata.DISABLE) {
      return api.access.deny("Organization Account Disabled. If you have any questions, please contact your Client Success Coordinator.");
    }

    if (event.user.user_metadata.rule_ar === undefined || event.user.user_metadata.rule_ar === null || event.user.user_metadata.rule_ar.trim() === "") {
      return api.access.deny("Organization arrow_account undefined. If you have any questions, please contact your Client Success Coordinator.");
    }

    management.users.getRoles({ id: event.user.user_id }, function (err, roles) {
      if (err) {
        return api.access.deny(`An internal error (${err.statusCode}) occured. Try again later. If you have any questions, please contact your Client Success Coordinator.`);
      }

      if (!roles || roles.length === 0) {
        return api.access.deny("User is not assigned a role. If you have any questions, please contact your Client Success Coordinator.");
      }

      if (roles.length > 2) {
        return api.access.deny("User cannot have more than two roles. If you have any questions, please contact your Client Success Coordinator.");
      }

      for (let i = 0; i < roles.length; i++) {
        if (roles[i].name.startsWith("Ar")) {
          event.user.user_metadata.rule_ar = roles[i].name.split(":")[1];
        } else if (roles[i].name.startsWith("Sx:")) {
          event.user.user_metadata.rule_sx = roles[i].name.split(":")[1];
        }
      }  
    
      var expiration_days = 90;
      if (orgs[0].metadata.password_expiration_days) {
        expiration_days = orgs[0].metadata.password_expiration_days;
      }

      function daydiff(first, second) {
        return (second - first) / (1000 * 60 * 60 * 24);
      }

      const last_password_change = event.user.last_password_reset || event.user.created_at;

      if (daydiff(new Date(last_password_change), new Date()) > expiration_days) {
        return api.access.deny("Your password has expired. Login with the link below and click on 'Forgot Password' to reset your password. If you have any questions, please contact your Client Success Coordinator.");
      }

      return;
    });
  });
};

Please for your help!! Thank you

konrad.sopala · January 8, 2024, 8:04am

Hey there!

As this topic is related to Rules - Hooks - Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!

tc2 · February 22, 2024, 3:15pm

Hi, we’re facing the same issue, was there an answer to this question about how to inject Auth0 roles into the SAML response generated by the SAML2 Web App plugin, using Actions? Please can you post it within this thread.