Email mapping not working as expected

We have a SAMLP connection to an external IdP. Our application wants to receive an authenticated user’s email address in the email profile field. As shown below in the original profile, the IdP is returning the email address as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.

I added the following mapping to the associated connection:
{"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"}

but (as you can see in the profile below) email is not returned as expected.

Feels like I’m missing something basic - what am I doing wrong?

  "date": "2018-03-06T21:17:01.758Z",
  "type": "s",
  "connection": "whatevs",
  "connection_id": "con_mumblemumble",
  "client_id": "evDu__mumblemumble",
  "client_name": "FullStory",
  "ip": "1.2.3.4",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0",
  "details": {
    "original_profile": "{\"sessionIndex\":\"_bedd31eae511e48728b50b877f38497516a019\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"foo@example.com\",\"nameIdAttributes\":{\"value\":\"foo@example.com\",\"Format\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\"},\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\":\"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\",\"issuer\":\" https://sso.whatevs.local/sso/fullstory\"}",
    "prompts": [
      {
        "name": "saml-authenticate",
        "initiatedAt": 1520371014836,
        "completedAt": 1520371021745,
        "timers": {},
        "connection": "whatevs",
        "elapsedTime": 6909
      }
    ],
    "initiatedAt": 1520371014826,
    "completedAt": 1520371021756,
    "elapsedTime": 6930,
    "stats": {
      "loginsCount": 15
    }
  },
  "hostname": "fullstory.auth0.com",
  "user_id": "samlp|whatevs|foo@example.com",
  "user_name": "foo@example.com",
  "strategy": "samlp",
  "strategy_type": "enterprise",
  "log_id": "90020180306211701758768255994599524808210705470977998898"
}```

:wave: @mgm

Did you make sure to specify the email in the scope parameter when initializing the authorization flow?

If so, could you share a HAR-file (please make sure to remove any sensitive details such as passwords) so that we can inspect the SAMLP response further?

You can upload it to a cloud storage service of your choice (e.g. Google drive), and share the link with us. Feel free to restrict access to the link for only @auth0.com email addresses using Sharelock.io.

Hey @kimcodes ! Thanks for the response!

Yes, we’re requesting the scope email in the request (see code snippet below). This works fine for an Okta customer, but not with this AD customer.

Unfortunately I can’t easily get you a HAR – the customer’s IdP is restricted to their local domain only. So my testing is all going through them.

Am I misunderstanding mapping though? The user’s email is present in the response, according to the logs, just in a different field. I thought that the mapping I mentioned above would have populated the email field, but apparently not?

Thanks again!

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?