We have an application using SAML2 WEBAPP Addon. for that we set our login flow with rules and everything has been working great. Now Auth0 is deprecating rules for actions so we started migrating from our Rules to Actions. During the process we created an action base of our rule but the login is not working as expected. I submitted a ticket here but was told here there is no problem with my action but the SAML2 addon setting.
From this documentation
Migrate from Rules to Actions Actions cannot modify SAML assertions or attributes like Rules can.
In my setting, The role metadata is being set for the user, so that it can be used by the SAML2 app settings “mappings”.
The mappings take the user metadata, and they put it into the SAML response using that mapping.
So for “Rules” it was working… The rule updated the user metadata, and then SAML used that metadata in the mapping.
But for Actions it does not work… the changes to user metadata do not appear to be accessible by the SAML mapping.
Please can you advice how the setting can be adjusted so it can be read by my Action?
Here is my application settings (SAML2 WEBAPP addon) working with the rule:
{
"audience": "https://XXX.com/metadata/app",
"mappings": {
"rule_aw_role": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"rule_aw_account": "AppAccount"
},
"signingCert": "-----BEGIN CERTIFICATE-----\XXXXXXX\n-----END CERTIFICATE-----\n",
"logout": {
"callback": "https://XXX.com/logout",
"slo_enabled": true
}
}
Here is the action code I am using.
exports.onExecutePostLogin = async (event, api) => {
const ManagementClient = require('auth0').ManagementClient;
const management = new ManagementClient({
domain: event.secrets.Domain,
clientId: event.secrets.ClientID,
clientSecret: event.secrets.ClientSecret,
});
management.users.getUserOrganizations({ id: event.user.user_id }, function (err, orgs) {
if (err) {
return api.access.deny(`An internal error (${err.statusCode}) occured. Try again later. If you have any questions, please contact your Client Success Coordinator.`);
}
if (!orgs || orgs.length === 0) {
return api.access.deny("User is not assigned to an organization. If you have any questions, please contact your Client Success Coordinator.");
}
if (orgs.length > 1) {
return api.access.deny("User cannot belong to multiple organizations. If you have any questions, please contact your Client Success Coordinator.");
}
event.user.user_metadata.rule_sx= orgs[0].metadata.org_sx;
event.user.user_metadata.rule_ar = orgs[0].metadata.org_ar;
if (orgs[0].metadata.disableMFA) {
api.multifactor.enable("none")
};
if (orgs[0].metadata.everydayMFA) {
api.multifactor.enable("any",{ "allowRememberBrowser": false })
};
if (orgs[0].metadata.DISABLE) {
return api.access.deny("Organization Account Disabled. If you have any questions, please contact your Client Success Coordinator.");
}
if (event.user.user_metadata.rule_ar === undefined || event.user.user_metadata.rule_ar === null || event.user.user_metadata.rule_ar.trim() === "") {
return api.access.deny("Organization arrow_account undefined. If you have any questions, please contact your Client Success Coordinator.");
}
management.users.getRoles({ id: event.user.user_id }, function (err, roles) {
if (err) {
return api.access.deny(`An internal error (${err.statusCode}) occured. Try again later. If you have any questions, please contact your Client Success Coordinator.`);
}
if (!roles || roles.length === 0) {
return api.access.deny("User is not assigned a role. If you have any questions, please contact your Client Success Coordinator.");
}
if (roles.length > 2) {
return api.access.deny("User cannot have more than two roles. If you have any questions, please contact your Client Success Coordinator.");
}
for (let i = 0; i < roles.length; i++) {
if (roles[i].name.startsWith("Ar")) {
event.user.user_metadata.rule_ar = roles[i].name.split(":")[1];
} else if (roles[i].name.startsWith("Sx:")) {
event.user.user_metadata.rule_sx = roles[i].name.split(":")[1];
}
}
var expiration_days = 90;
if (orgs[0].metadata.password_expiration_days) {
expiration_days = orgs[0].metadata.password_expiration_days;
}
function daydiff(first, second) {
return (second - first) / (1000 * 60 * 60 * 24);
}
const last_password_change = event.user.last_password_reset || event.user.created_at;
if (daydiff(new Date(last_password_change), new Date()) > expiration_days) {
return api.access.deny("Your password has expired. Login with the link below and click on 'Forgot Password' to reset your password. If you have any questions, please contact your Client Success Coordinator.");
}
return;
});
});
};
Please for your help!! Thank you