Overview
The Auth0 user profile shows claims sent by the upstream SAML IdP that begin with “urn:oid” prefix. For example, urn:oid:0:9:2342:19200300:100:1:3. However, these cannot be mapped to other attributes using the Mappings object.
Applies To
- SAML connections (Auth0 is SAML SP)
Cause
This issue occurs because of a formatting discrepancy between how Auth0 displays the claim and how it must be referenced for mapping.
The upstream Identity Provider (IdP) sends the claim with periods separating the numbers, as shown in this example: urn:oid:0.9.2342.19200300.100.1.3
However, Auth0’s internal data structure replaces the periods with colons when displaying the claim in the user profile: urn:oid:0:9:2342:19200300:100:1:3
The Mappings object requires the original claim name as sent by the IdP, which contains periods, not the colon-separated version displayed in the Auth0 profile.
Solution
To correctly map the attributes, the original claim name sent by the Identity Provider (IdP) must be used in the Mappings object. This requires using the original format with periods instead of the colon-separated version shown in the Auth0 user profile.
For example, to map the claim to the email attribute, use the following format in theMappings object:
{
"email": "urn:oid:0.9.2342.19200300.100.1.3"
}