Adding a SAML response attribute to differentiate one User's linked Identities

Hi all - I’m working to solve a use case where Auth0 is the IdP and Salesforce Communities is the SP. One person might have multiple login credentials in Auth0, but in the Salesforce Community they only have one User. I’ve got this working well with a SAML SSO configuration, along with Linked Users in Auth0.

The piece I’m struggling to get working is, I need to know which one of their Auth0 credentials they used to log in, even if the NameId in the SAML response going to SFDC is the same.

I’ve seen some posts about creating rules to populate custom SAML attributes, but I can’t figure out how to apply those rules in my Single Sign On configuration on the Auth0 side.

I’m new to Auth0 so any details / samples would be appreciated. Thanks!

Hi @sfdcmatt,

Welcome to the Auth0 Community!

Have you taken a look at this FAQ?

This should provide guidance on mapping your SAML attributes.

Please let me know if you need any clarifications or have any questions.

Thank you.

Hi Rueben, thanks for the response! I’m not actually using an Application, I’m using an “SSO Integration”, so I don’t see where to apply these same mappings in the article you referenced?

At any rate, I was able to get this working this morning by writing a Rule that sets the nameIdentifier to a custom app_metadata parameter. We’ll set that as we create the users, and the rule maps that back into the SAML response where it needs to be. I think I’m set here, thanks for your help!

1 Like

Hi @sfdcmatt,

Thank you for the response.

I’m glad you managed to get it working with using a Rule!

Please reach out if you have any further questions.

Thank you.