How to map extra SAML attributes from idP into Auth0 Profile

justinoc · June 7, 2021, 8:39pm

Hello–

I have Auth0 setup as a SAML sP for my application. I’ve used the SAML mappings under the Enterprise Connection editor to map the standard attributes like User ID, Name, First Name, Last Name, Email, etc.

However, the idP (Ping) is passing a couple of extra attributes for user office ID and user department ID. These are not part of the Auth0 user profile. I assumed I could map them to either user_metadata or app_metadata, but the mapper does not allow ‘dotting’ the attribute (e.g. "user_metadata.office_id’ : “office_id” returns an error that ‘.’ is not allowed).

I’ve seen the topics for adding metadata to the response if Auth0 is the idP via rules, but thats for the reverse direction (Auth0 is the sP, Ping is the idP). Nothing to map extra attributes when logging in from an external idP. I see them in the Users RAW JSON, but can’t get them into a field that is readable by the application using the PHP-SDK. Alternatively, if I could read that Identity Provider Raw JSON from the app, that would suffice as well.

Everything else is working well on this setup, this is my last hurdle to overcome. Open to any suggestions here. Tanks!

justin.skiles · June 24, 2021, 9:14pm

Having the same issue. I’m using IdP-initiated SSO via SAML. An external IDP is sending SAMLResponse with some attributes that don’t map to OIDC compliant fields such as “userType” and “NPI”. I’m unsure of how to map these incoming SAML attributes into something like the user’s metadata. I’ve tried using rules, but I don’t see how the SAML attributes are accessible from the user or context objects.

justin.skiles · June 24, 2021, 9:31pm

I figured it out. It’s not intuitive, and I’m not sure it’s the best way, but it does seem to work.

In your Enterprise SSO connection for SAML SP, go to the Mappings tab and add the mappings for the fields that you want. Example:

  "user_type": "http://schemas.com/user_type",
  "npi": "http://schemas.com/npi"

This will then map the fields in the user’s properties (visible in Raw JSON view on user screen).

Then you can create a new rule which extracts from the samlp identity profile data into the user metadata.

function mapSamlAttributes(user, context, callback) {
  if(user.identities) {
    if(!user.user_metadata) {
      user.user_metadata = {};
    }
  	user.user_metadata.user_type = user.identities[1].profileData.user_type;
  	user.user_metadata.npi = user.identities[1].profileData.npi;
  }
  
  callback(null, user, context);
}

This can probably be improved by not hardcoding an index into the identities collection and instead looking for the exact identity you want.

konrad.sopala · June 25, 2021, 7:17am

Thanks for sharing it with the rest of community!

system · July 10, 2021, 7:18am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Map SAML Attribute Statements received from an external IdP and convert them to claims Help	2	4431	August 20, 2019
Map SAML attributes into app_metadata & user_metadata Feedback feature-request , app_metadata , user_metadata , samlp , shibboleth , federation , saml-attributes , saml-enterprise-connections , mapping	1	995	August 23, 2023
Mapping Extra SAML Attributes to App Metadata Help connections , saml-enterprise-connection , deprecations	2	1773	August 29, 2023
Map SAML attributes to user_metadata attributes via action Help identifier-first , login-experience	3	1521	September 26, 2024
Mapping SAML attributes from IDP to Auth0 profile Help samlp , shibboleth	6	9025	March 13, 2020

How to map extra SAML attributes from idP into Auth0 Profile

Related Topics