How to avoid app_metadata attribute in the SAML response when Auth0 is SAML IdP


We are storing application-related data in the app_metadata field of the user. In the past, we were not used to getting the user’s app_metada in the SAML response. Recently we have observed that this app_metadata is included in SAML response, and we are getting the value as [Object, Object] for few attributes of app_meta. Because of the same reason, the payload is increased drastically.


You may set passthroughClaimsWithNoMapping to false to avoid root attributes, including app_metadata being passed in the SAML response. Auth0 will then send only a few common attributes to in the SAML response. For the remaining root attributes, you may add them in the mapping section as in the following sample.

"mappings": {
  "picture": "picture",
  ..add any other necessary claim from the user's profile

"passthroughClaimsWithNoMapping": false

1 Like

Thanks for sharing that with the rest of community Saltuk!