Auth0 Home Blog Docs

Email missing in idtoken for idp initiated SSO login using ADFS

I am trying to integerate IDP initiated login using SAMLP connection.I have set the scope as openid email .
idpinitiated login is working fine but email claim is missing .Any Idea why.

I’m afraid that this caused by a few different situations, for example, at the least the following should be checked:

  • that ADFS actually return an email address for that user; you can check this on the user profile view in the management dashboard of your tenant.
  • that custom rules are not overriding/clearing that email value in any way.
  • that custom rules are not overriding the requested scopes.

The last two points can be quickly checked by temporarily disabling rules in a tenant used for development. If none of the above helps, it would be useful to have an HTTP trace of the login transaction so that it can be reviewed in more details.

PFB the clarification for points.

1.I have got the email in the user profile in Auth0 Dashboard but no email in token claims
2 and 3…i have disabled all the rules still no email claim.

attaching HAR file link.

Thanks for doing the tests and sharing the HAR; I did some initial tests with a connection configured similar to the one being used in the trace and I could not reproduce the situation. In my case the returned ID token contained email information.

Having said that, there’s on thing that I noticed different between my tests and the provided trace. From your trace the HTTP redirect response to the IdP-Initiated flow is:

Location: [callback]#access_token=[redacted]&expires_in=7200&token_type=Bearer&id_token=[redacted]

However in my tests I obtained:

Location: [callback]#access_token=[redacted]&scope=openid%20email&expires_in=7200&token_type=Bearer&state=[redacted]&id_token=[redacted]

The most interesting difference is that my response includes the scope I configured at the connection level scope=openid%20email while in your case this is not present. This seems to suggest that somehow your response it not respecting the configured scope so that would explain the missing email.

However, this still leaves us pretty much in the same place as I could not find out why in your case the scope in the response is not the one you configured. During troubleshooting I also noticed that the user in question was deleted after the test. Would it be possible for you to repeat a test (you can leave rules enabled this time), capture another HAR and then do not delete the user in question?

In addition to that can you confirm if this is only specific to IdP-Initiated flow? In other words, if the client application after receiving the response (without email) as part of the IdP-Initiated flow perform a subsequent login request (SP-Initiated), is the email returned?

Ok now i tried with a different user there i am able to get the token with email claim

but with the earlier user i still have the problem.

That is indeed rather unexpected; I can see that the user for which it works is a user that has linked accounts, but I confess I don’t see how that could influence the situation. Is it feasible for you to test this in a new tenant? You can create a new free (trial) subscription.