Auth0 Home Blog Docs

Auth0 As service provider default claim mapping

I have setup a test SAML connection with auth0 acting as the service provider.

I am having trouble finding documentation that tells you the default claim mapping auth0 uses to generate users when they initially login.

It looks like <saml2:NameID Format=“urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified”> was used as the user_id, but that contradicts what is said in this article

  • User Id Attribute : The attribute in the SAML token that will be mapped to the user_id property in Auth0. If not set, then the user_id will be retrieved from the following (in listed order):
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

does this mean that other name id formats would work? ex: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

I also noticed that sending <saml2:Attribute Name=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”… correctly maps to the users first name, but cannot find that documented anywhere.

The default mapping is not documented anywhere at the moment. Here’s the mapping we use internally:

{
  'user_id': [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
  'email': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
  'name': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
  'given_name': [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
  'family_name': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
  'groups': 'http://schemas.xmlsoap.org/claims/Group'
};

Any mappings you add in the SAML connection will extend this default mapping.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.