Auth0 Home Blog Docs

Is it possible to customize SAML SP metadata to retrieve user email from IdP?

saml
metadata
samlp
saml2
service-provider

#1

My problem :

I’m need to customize my Service Provider metadata to request the user email in the data that are sent back by the Identity Provider.

I’ve found something in SAML documentation :
AttributeConsumingService and RequestedAttribute
http://www.datypic.com/sc/saml2/e-md_AttributeConsumingService.html

But I cannot find anywhere in Auth0 documentation or in Auth0 UI a way to add this AttributeConsumingService tag.

So is it the right way to do ? and if yes how can I achieve that ? If not, how should I do that ?


#2

To my knowledge the metadata that is available at https://{your_domain}.auth0.com/samlp/metadata?connection={connection} does not allow for dynamic configuration of attributes that the service provider (in this case your Auth0 account) wants to receive.

Technically I think the identity provider is also not obliged in any way to return specific attributes even if the metadata asked for them, however, that approach seems correct (although apparently not supported at this time) as means to provide an hint about the attributes that are required.

In relation to how to workaround this I would say that you would have to ensure the identity provider returns those attributes through some other channel. For example, the IdP may allow service provider metadata upload and then also additional manual configuration to state that a certain list of attributes will be returned independently of them being originally asked in the metadata.


#3