How to map extra SAML attributes from idP into Auth0 Profile

justinoc · June 7, 2021, 8:39pm

Hello–

I have Auth0 setup as a SAML sP for my application. I’ve used the SAML mappings under the Enterprise Connection editor to map the standard attributes like User ID, Name, First Name, Last Name, Email, etc.

However, the idP (Ping) is passing a couple of extra attributes for user office ID and user department ID. These are not part of the Auth0 user profile. I assumed I could map them to either user_metadata or app_metadata, but the mapper does not allow ‘dotting’ the attribute (e.g. "user_metadata.office_id’ : “office_id” returns an error that ‘.’ is not allowed).

I’ve seen the topics for adding metadata to the response if Auth0 is the idP via rules, but thats for the reverse direction (Auth0 is the sP, Ping is the idP). Nothing to map extra attributes when logging in from an external idP. I see them in the Users RAW JSON, but can’t get them into a field that is readable by the application using the PHP-SDK. Alternatively, if I could read that Identity Provider Raw JSON from the app, that would suffice as well.

Everything else is working well on this setup, this is my last hurdle to overcome. Open to any suggestions here. Tanks!

justin.skiles · June 24, 2021, 9:14pm

Having the same issue. I’m using IdP-initiated SSO via SAML. An external IDP is sending SAMLResponse with some attributes that don’t map to OIDC compliant fields such as “userType” and “NPI”. I’m unsure of how to map these incoming SAML attributes into something like the user’s metadata. I’ve tried using rules, but I don’t see how the SAML attributes are accessible from the user or context objects.

justin.skiles · June 24, 2021, 9:31pm

I figured it out. It’s not intuitive, and I’m not sure it’s the best way, but it does seem to work.

In your Enterprise SSO connection for SAML SP, go to the Mappings tab and add the mappings for the fields that you want. Example:

  "user_type": "http://schemas.com/user_type",
  "npi": "http://schemas.com/npi"

This will then map the fields in the user’s properties (visible in Raw JSON view on user screen).

Then you can create a new rule which extracts from the samlp identity profile data into the user metadata.

function mapSamlAttributes(user, context, callback) {
  if(user.identities) {
    if(!user.user_metadata) {
      user.user_metadata = {};
    }
  	user.user_metadata.user_type = user.identities[1].profileData.user_type;
  	user.user_metadata.npi = user.identities[1].profileData.npi;
  }
  
  callback(null, user, context);
}

This can probably be improved by not hardcoding an index into the identities collection and instead looking for the exact identity you want.

konrad.sopala · June 25, 2021, 7:17am

Thanks for sharing it with the rest of community!

system · July 10, 2021, 7:18am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Map SAML attributes to user_metadata attributes via action Help identifier-first , login-experience	3	1482	September 26, 2024
Access to user information from a SAML-Identity Provider Help samlp , saml2	7	5578	March 7, 2019
Adding a SAML response attribute to differentiate one User's linked Identities Help	4	2424	December 22, 2022
Add user_metadata in SAML \| Auth0 as Idp Help application , addons	2	295	March 5, 2024
Change User ID Used by Auth0 for SAML Connection Knowledge Articles samlp , userid , mapping	1	15	October 9, 2024

How to map extra SAML attributes from idP into Auth0 Profile

Related Topics