Adding custom SAML attribute when auth0 is SP

balamanohar.b · May 7, 2018, 9:54am

Hi,

Currently I’m using Auth0 as a service provider for login via SAML. The client requires a custom saml attribute value like this.

<saml:Attribute
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic
    Name="memberOf">
    <saml:AttributeValue
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:type="xs:string">
        Test
     </saml:AttributeValue>
</saml:Attribute>

This information is stored in Groups field of Users in Auth0. How do I modify rules or any other configuration so that the SAML response sent from Auth0 contains the specified attribute value. Please help with this.

Thanks in advance.

jerdog · May 7, 2018, 3:43pm

Have you checked the rules info in docs?

sgmeyer · May 7, 2018, 8:03pm

@balamanohar.b,

I am not 100% certain I follow. You mention that Auth0 is the service provider, but you also mention you want Auth0 to generate the saml response. Did you really mean Auth0 was the IdP and needed to send a SAML response to some 3rd party service provider?

If so we have a rule template that you could modify to help this mapping:

function (user, context, callback) {
  context.samlConfiguration.mappings = {
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "user_id",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":   "email",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":           "name",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/food":           "user_metadata.favorite_food",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/address":        "app_metadata.shipping_address"
  };

  callback(null, user, context);
}

With this template the claim on the left hand side will be the the saml attribute name and the string on the right is the property on the user profile that will be mapped as the value.

balamanohar.b · May 8, 2018, 6:55am

Hi @sgmeyer,

Sorry for the confusion, Auth0 is indeed the IdP. This is what is currently in Rules.

context.samlConfiguration.mappings = {
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "email",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "email",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "name",
 //    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":  "given_name",
 //    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "family_name",
 //    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "upn",
     "http://schemas.xmlsoap.org/claims/Group": "groups",
     "memberOf": "groups"
   };

But when I see the SAML response getting submitted (in browser) to authenticate the client by decrypting, the XML doesn’t have the memberOf field. It only has the following fields in the attribute statement.

<saml:AttributeStatement>
         <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <saml:AttributeValue>alpha2@mail.com</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier">
            <saml:AttributeValue>alphadevuser</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="http://schemas.xmlsoap.org/claims/Group">
            <saml:AttributeValue>TESTGROUP</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
            <saml:AttributeValue>alphadevuser</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>

Please help me find out what should be configured to add the additional attribute here.

sgmeyer · May 8, 2018, 9:42am

@balamanohar.b I think the problem is you need to update you saml-addon configuration with this:

"mapUnknownClaimsAsIs": true,

This tells Auth0 to map any unknown claims/attributes as specified without prepending a URI to it.

Here is what I did to mock this out:

I created a google social connection for my users. When I logged in as my user I set app_metadata:

image1418×368 24.1 KB
I configured my SAML Add-on with:

{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "groups": "memberof"
  },
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": true,
  "mapIdentities": false
}

Then I debugged the request and received this:

image1522×214 40.9 KB

A quick note on step #2. Initially I showed how to do this with a rule, that is still totally legit, because the mappings in rules are a bit more flexible than in the add-on. I also tested this with the rule you have above and got the results in step 3 after adding "mapUnknownClaimsAsIs": true, to the saml add-on’s configuration.

balamanohar.b · May 9, 2018, 6:26am

Thanks a lot @sgmeyer . It worked for our use case.