Adding roles to SAML response

Help
1

Hi everyone,

Trying to get the SAML working but cant seem to be able to configure roles that are configured through Auth0 UI to show up in SAML response, settings in “Addon: SAML2 Web App” are mostly default, see below:

{
“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”,
“roles”: “http://schemas.xmlsoap.org/claims/Role
},
“createUpnClaim”: true,
“passthroughClaimsWithNoMapping”: false,
“mapUnknownClaimsAsIs”: true,
“mapIdentities”: true,
“signatureAlgorithm”: “rsa-sha1”,
“digestAlgorithm”: “sha1”,
“destination”: “https://…”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“typedAttributes”: true,
“includeAttributeNameFormat”: true,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
“nameIdentifierProbes”: [
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
],
“authnContextClassRef”: “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”,
“logout”: {
“callback”: “…”,
“slo_enabled”: true
},
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
}

I’m sure the solution is super simple but I just can’t seem to get it working.
Any help appreciated :slight_smile:

2

Did you ever figure it out?

3

I would be very interested too. How to pass Auth0 roles to the SAML response.