Auth0 As IdP: specific SAML attrs are skipped regardless of being mapped in a Rule

lendsmart · May 25, 2023, 6:14pm

Hello,

We are using Auth0 as a SAML IdP. We have an app with SAML2 Web App addon activated. Additionally, we have a custom Rule declaring a changeSamlConfiguration fn to change the behavior of SAML assertions.

We added mapping for four custom attributes in the assertion and they were present in the assertions just fine until this week when it started to fail. Here is an example of the assertion we need:

Now first_name and last_name are not present in the assertions.

Here is the code for the Rule:

function changeSamlConfiguration(user, context, callback) {
  context.samlConfiguration.passthroughClaimsWithNoMapping = true;
  context.samlConfiguration.mapUnknownClaimsAsIs = true;
  context.samlConfiguration.createUpnClaim = false;
  context.samlConfiguration.signResponse = true;
  context.samlConfiguration.mapIdentities = false;
  
  user.user_metadata = user.user_metadata || {};
  
  console.log(user);

  context.samlConfiguration.mappings = {
    'custom_first_name': 'given_name', // test only, skip.
    'custom_family_name': 'family_name', // test only, skip.
    'first_name': 'given_name',
    'last_name': 'family_name',
    'email_address': 'name',
    'user_name': 'name',
    
  };
  
  console.log(context);

  callback(null, user, context);
}

With this configuration, the SAML assertion contains email_address and user_name but no first_name and last_name. Even weird, the custom_first_name and the custom_last_name, two attrs we don’t need but we feed them with the same data as first_name and last_name just for test, they do appear in the assertion.

Here is an example of the current assertion as sent from Auth0 to SP:

<!--Only showing saml:AttributeStatement-->
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_xxxxxxxxxxxxxxxxxxxx" Version="2.0" IssueInstant="2023-05-25T17:38:18.872Z" Destination="https://idp.xxxxxxxx.com/sp/ACS.saml2">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:xxxxxxxxxxxx.us.auth0.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" IssueInstant="2023-05-25T17:38:18.862Z">
        <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute Name="custom_first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">xxxxxxxxxxxxxx@mailnesia.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="custom_family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">app-app</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email_address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string"> myname</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="user_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string"> myname</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="user_id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">auth0|64xxxxxxxxxxxxxxxxxxxxxx</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">auth0|64xxxxxxxxxxxxxxxxxxxxxx</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:boolean">true</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">app_xxxxxxxxxxxxxx</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/ecxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?s=480&amp;r=pg&amp;d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fdefault.png</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:anyType">Mon May 22 2023 05:43:21 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:anyType">Thu May 25 2023 17:36:50 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">xxxxxxxxxxxxxxxxxx@mailnesia.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

The settings of the app widget:

{
  "recipient": "https://idp.xxxxxxxx.com/sp/ACS.saml2",
  "destination": "https://idp.xxxxxxxx.com/sp/ACS.saml2",
  "audience": "https://idp.xxxxxxxx.com",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

We have these questions:

Why the attr mapping for first_name and last_name started to fail?
Why we can map other attrs but specifically the first_name and last_name are not mapping? What is so special for these two attrs?

We thank you any help on this issue!

konrad.sopala · January 8, 2024, 8:48am

Hey there!

As this topic is related to Rules - Hooks - Actions and Rules & Hooks are being deprecated soon I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!