Adding roles to SAML response

Hi everyone,

Trying to get the SAML working but cant seem to be able to configure roles that are configured through Auth0 UI to show up in SAML response, settings in “Addon: SAML2 Web App” are mostly default, see below:

{
“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”,
“roles”: “http://schemas.xmlsoap.org/claims/Role
},
“createUpnClaim”: true,
“passthroughClaimsWithNoMapping”: false,
“mapUnknownClaimsAsIs”: true,
“mapIdentities”: true,
“signatureAlgorithm”: “rsa-sha1”,
“digestAlgorithm”: “sha1”,
“destination”: “https://…”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“typedAttributes”: true,
“includeAttributeNameFormat”: true,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
“nameIdentifierProbes”: [
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
],
“authnContextClassRef”: “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”,
“logout”: {
“callback”: “…”,
“slo_enabled”: true
},
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
}

I’m sure the solution is super simple but I just can’t seem to get it working.
Any help appreciated :slight_smile:

Did you ever figure it out?

I would be very interested too. How to pass Auth0 roles to the SAML response.