Email Attribute is Missing from Okta SAML Login

Knowledge Solutions
, , , , ,
1

Problem statement

An enterprise connection is configured that enables a ‘downstream’ customer to access Okta via a SAML connection. Auth0 is configured as the Service Provider (SP) and Okta is configured as the Identity Provider (IdP).

This SAML connection works as expected but no email address is included in the SAML login transaction.

The outcome of this is that when the client application calls the Management API to retrieve the user’s email address from the user profile, that attribute field is empty. Likewise, viewing that user’s record in the Auth0 dashboard, there is no email field. It is expected that this field should be populated.

During debugging it was noticed that the user’s Auth0 user_id contains a concatenation of “samplp” + connection_name + user’s email_address.

  • Explain why the user’s profile does not seem to have an email address populated
  • Explain why the user_id contains the user’s email address

Symptoms

No email address is included in the SAML login flow.

Troubleshooting

  • Create a HAR file that captures a login event. For further guidance, refer to Generate and Analyze HAR Files .
  • Examine the HAR file to confirm that no Email attribute is returned from the IdP.

Solution

In this particular case, the user_id field is mapped to the nameId attributes of the IdP, which in this case is Okta. The nameId attributes contain the user email address, which is why that email is being used as the user_id.

  • The first way to resolve this problem is to update the SAML connection mappings from the Auth0 dashboard. It is possible to associate the ‘email’ field with the nameId attribute. Something like this:

email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

  1. Login to the Auth0 dashboard as a tenant member ( administrator ).
  2. Navigate Authentication > Enterprise.
  3. Click SAML.
  4. Click the SAML connection that needs to be edited.
  5. Click Mappings ( from the menu ).
  6. Add the new ‘email’ mapping shown above.
  • A better way to resolve this issue is to add an ‘email’ attribute to the IdP (Okta). For guidance on how to do this, refer to the Okta document How to Define and Configure a Custom SAML Attribute Statement. The document and the video that accompanies it show how to add additional attributes on the Okta side.

Once an ‘email’ attribute has been added on the Okta IdP side, it should be possible to fix this issue from the Auth0 dashboard.

  1. Login to the Auth0 dashboard as a tenant member ( administrator ).
  2. Navigate Authentication > Enterprise.
  3. Click SAML.
  4. Click the SAML connection that needs to be edited.
  5. Click Mappings ( from the menu ).
  6. Edit the email field in the mappings to match the attribute from Okta.

This line must be modified:
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Change this line to:
"email": "Email"

Now, the entire mapping object should look something like this:

{
"user_id": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"email": "Email",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.xmlsoap.org/claims/Group"
}

Perform another login, and the Email attribute should now be present in the user’s profile.

1 Like