Hello,
We are using Auth0 as a SAML IdP. We have an app with SAML2 Web App addon activated. Additionally, we have a custom Rule declaring a changeSamlConfiguration
fn to change the behavior of SAML assertions.
We added mapping for four custom attributes in the assertion and they were present in the assertions just fine until this week when it started to fail. Here is an example of the assertion we need:
Now first_name
and last_name
are not present in the assertions.
Here is the code for the Rule:
function changeSamlConfiguration(user, context, callback) {
context.samlConfiguration.passthroughClaimsWithNoMapping = true;
context.samlConfiguration.mapUnknownClaimsAsIs = true;
context.samlConfiguration.createUpnClaim = false;
context.samlConfiguration.signResponse = true;
context.samlConfiguration.mapIdentities = false;
user.user_metadata = user.user_metadata || {};
console.log(user);
context.samlConfiguration.mappings = {
'custom_first_name': 'given_name', // test only, skip.
'custom_family_name': 'family_name', // test only, skip.
'first_name': 'given_name',
'last_name': 'family_name',
'email_address': 'name',
'user_name': 'name',
};
console.log(context);
callback(null, user, context);
}
With this configuration, the SAML assertion contains email_address
and user_name
but no first_name
and last_name
. Even weird, the custom_first_name
and the custom_last_name
, two attrs we don’t need but we feed them with the same data as first_name
and last_name
just for test, they do appear in the assertion.
Here is an example of the current assertion as sent from Auth0 to SP:
<!--Only showing saml:AttributeStatement-->
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_xxxxxxxxxxxxxxxxxxxx" Version="2.0" IssueInstant="2023-05-25T17:38:18.872Z" Destination="https://idp.xxxxxxxx.com/sp/ACS.saml2">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:xxxxxxxxxxxx.us.auth0.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" IssueInstant="2023-05-25T17:38:18.862Z">
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="custom_first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">xxxxxxxxxxxxxx@mailnesia.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="custom_family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">app-app</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email_address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string"> myname</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="user_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string"> myname</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="user_id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">auth0|64xxxxxxxxxxxxxxxxxxxxxx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">auth0|64xxxxxxxxxxxxxxxxxxxxxx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:boolean">true</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">app_xxxxxxxxxxxxxx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/ecxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fdefault.png</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:anyType">Mon May 22 2023 05:43:21 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:anyType">Thu May 25 2023 17:36:50 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">xxxxxxxxxxxxxxxxxx@mailnesia.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
The settings of the app widget:
{
"recipient": "https://idp.xxxxxxxx.com/sp/ACS.saml2",
"destination": "https://idp.xxxxxxxx.com/sp/ACS.saml2",
"audience": "https://idp.xxxxxxxx.com",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
We have these questions:
- Why the attr mapping for
first_name
andlast_name
started to fail? - Why we can map other attrs but specifically the
first_name
andlast_name
are not mapping? What is so special for these two attrs?
We thank you any help on this issue!