Change User ID Used by Auth0 for SAML Connection

Overview

This article explains whether it is possible to change the user ID stored by Auth0 when using a SAML Enterprise connection.

Applies To

  • SAML Enterprise Connection
  • User ID

Cause

Solution

Currently, it is not possible to change the User ID format, as this is created programmatically from the incoming attribute from the Identity Provider, appending it with the prefix like below, the section highlighted in yellow will always be prefixed to what is mapped to the user ID:

samlp|<CONNECTION_NAME>|<ATTRIBUTE_MAPPED_TO_USER_ID>

However, the SAML connection’s mappings settings can be used to map a different unique attribute the Identity Provider (IdP) is sending for the user as their user ID for the final part of the Auth0 User ID (after the pipe “|” character)

If it is required to store an ID from the IdP without any prefixes, it could be mapped to the user’s root profile, e.g. “saml_user_id”.

{
 "user_id": [
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
 ],
 "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
 "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
 "given_name": [
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
 ],
 "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
 "groups": "http://schemas.xmlsoap.org/claims/Group"
 "saml_user_id" : "<incoming SAML attribute here>"
}

This additional ID could, in turn, be added to tokens if required.