Add custom saml attributes to id token

kris.macgillivray · January 14, 2022, 11:22pm

Auth0 is connected to an external IDp using a SAML connection. this connection will return a custom attribute. I am not sure if it should be added to the user properties in Auth0, using the Mappings section of the connector, or if that is the only way to do it

I am then trying to add the information from that attribute to the Token using Action–>Flows
api.idToken.setCustomClaim however I don’t seem to be able to add it

I can add information from app_metadata but not from user properties (does not seem to recognize it).

Therefore I am not sure how to either add it to the app_metadata during saml logon or how I can get it from the user properties

SaqibHussain · January 17, 2022, 12:16am

Hi @kris.macgillivray

Welcome to the Auth0 Community, it’s really great to have you here

I take it Auth0 is acting as the service provider in this case given that you have an external IdP. If the IdP is sending you a custom attribute you will certainly need to map it in Authentication > Enterprise > SAML connection > Mappings tab.

The left side of the mapping is the user attribute on the SP side, the right side of the mapping is the claim you’re receiving from the IdP. I would probably do a test connection and open the network trace in the browser to locate the SAML response coming in, check the response in samtool.io to confirm the custom attribute is there and also confirm the spelling etc.

You should also see the attribute in the user account, raw json tab.

Not all user properties are available under Actions right now, please see this list for event.user https://auth0.com/docs/customize/actions/triggers/post-user-registration/event-object#:~:text=original%20authentication%20request.-,event.user,-An%20object%20describing

You would need to use Rules for this scenario until Actions reaches feature parity. Example rule to get the groups property into the Id Token would be

function (user, context, callback) {	
  context.idToken['https://mynamespace/groups'] = user.groups;
	callback(null, user, context);
  return callback(null, user, context);
}

Please let me know if you have any further questions on any of this.

Regards

steven.deng · June 27, 2023, 3:02pm

@SaqibHussain
I have a code like below:
exports.onExecutePostLogin = async (event, api) => {
const namespace = ‘https://samplenamesapce.ca’;
if (event.authorization) {
api.idToken.setCustomClaim(${namespace}/roles, event.authorization.roles);
api.idToken.setCustomClaim(${namespace}/DN, event.user[‘DN’]);
api.accessToken.setCustomClaim(${namespace}/roles, event.authorization.roles);
}
};

The ‘DN’ is a SAML assertion received from the response and mapped to the user’s ‘DN’. I see the value from the user’s account. I want to provide that value to the claim to the client app, however, I couldn’t get it in the Action. Any clue would be appreciated.

SaqibHussain · June 27, 2023, 4:37pm

Hi @steven.deng

Thanks for getting in touch with Auth0 Community.

I note you’re using an Action to access a user’s root property received via SAML. Currently this is not supported “Top-level event.user attributes added by an external IdP or custom database script” as per https://auth0.com/docs/customize/actions/limitations

We expect to fill this gap early next year but until then you can use Rules.

P.S. just looking my sample rule above, I think there is a copy paste error as only one callback should be required i.e:

function (user, context, callback) {	
  context.idToken['https://mynamespace/groups'] = user.groups;
  return callback(null, user, context);
}

Warm regards.

system · July 11, 2023, 4:37pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.