Email Attribute Is Missing in Auth0 User Profile for an Okta SAML Connection

Last Updated: Jul 28, 2025

Overview

This article explains why an email attribute may be missing from a user’s profile in Auth0 after logging in through an enterprise Security Assertion Markup Language (SAML) connection where Okta is the Identity Provider (IdP) and Auth0 is the Service Provider (SP). It also provides steps to configure the attribute mapping correctly.

Applies To

  • Auth0
  • Okta
  • Security Assertion Markup Language (SAML)
  • Enterprise Connection

Cause

The email attribute is missing because the Identity Provider (Okta) is not configured to send a dedicated email attribute in the SAML assertion that is passed to the Service Provider (Auth0).

Solution

To resolve this issue, configure Okta to send the email attribute and update the SAML connection mappings in Auth0. This is the recommended approach.

  1. In Okta, add an ‘email’ attribute to the SAML application configuration. For detailed instructions, refer to the Okta documentation, How to Define and Configure a Custom SAML Attribute Statement.
  2. Sign in to the Auth0 dashboard as an administrator.
  3. Navigate to Authentication > Enterprise.
  4. Select SAML.
  5. Select the SAML connection to edit.
  6. Select the Mappings tab.
  7. Modify the email mapping to match the new attribute sent from Okta. Change the existing line: "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" To the new value: "email": "Email"
  8. The complete mapping object should now appear similar to the following:
{
  "user_id": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "email": "Email",
  "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  "given_name": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
  "groups": "http://schemas.xmlsoap.org/claims/Group"
}
  1. Select Save. After the next login, the email attribute will be present in the Auth0 user profile.

Alternatively, it is possible to map the nameidentifier attribute from Okta to the email field in Auth0 if the nameidentifier contains the user’s email address.

  1. In the Mappings tab of the SAML connection in Auth0, add or update the email mapping:
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  1. Select Save.
1 Like