How to map extra SAML attributes from idP into Auth0 Profile

Hello–

I have Auth0 setup as a SAML sP for my application. I’ve used the SAML mappings under the Enterprise Connection editor to map the standard attributes like User ID, Name, First Name, Last Name, Email, etc.

However, the idP (Ping) is passing a couple of extra attributes for user office ID and user department ID. These are not part of the Auth0 user profile. I assumed I could map them to either user_metadata or app_metadata, but the mapper does not allow ‘dotting’ the attribute (e.g. "user_metadata.office_id’ : “office_id” returns an error that ‘.’ is not allowed).

I’ve seen the topics for adding metadata to the response if Auth0 is the idP via rules, but thats for the reverse direction (Auth0 is the sP, Ping is the idP). Nothing to map extra attributes when logging in from an external idP. I see them in the Users RAW JSON, but can’t get them into a field that is readable by the application using the PHP-SDK. Alternatively, if I could read that Identity Provider Raw JSON from the app, that would suffice as well.

Everything else is working well on this setup, this is my last hurdle to overcome. Open to any suggestions here. Tanks!

1 Like

Having the same issue. I’m using IdP-initiated SSO via SAML. An external IDP is sending SAMLResponse with some attributes that don’t map to OIDC compliant fields such as “userType” and “NPI”. I’m unsure of how to map these incoming SAML attributes into something like the user’s metadata. I’ve tried using rules, but I don’t see how the SAML attributes are accessible from the user or context objects.

I figured it out. It’s not intuitive, and I’m not sure it’s the best way, but it does seem to work.

In your Enterprise SSO connection for SAML SP, go to the Mappings tab and add the mappings for the fields that you want. Example:

  "user_type": "http://schemas.com/user_type",
  "npi": "http://schemas.com/npi"

This will then map the fields in the user’s properties (visible in Raw JSON view on user screen).

Then you can create a new rule which extracts from the samlp identity profile data into the user metadata.

function mapSamlAttributes(user, context, callback) {
  if(user.identities) {
    if(!user.user_metadata) {
      user.user_metadata = {};
    }
  	user.user_metadata.user_type = user.identities[1].profileData.user_type;
  	user.user_metadata.npi = user.identities[1].profileData.npi;
  }
  
  callback(null, user, context);
}

This can probably be improved by not hardcoding an index into the identities collection and instead looking for the exact identity you want.

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.