Issues Mapping the Email SAML Attribute

Knowledge Articles
1

Overview

When trying to get the email attribute from an Identity Provider (IdP) such as Google Workspace, though Auth0 (the Service Provider) receives it from the Identity Provider, its value is missing from the user profile in Auth0. If the attribute is sent to Auth0, it will be present in the JSON object found in the log after a successful login when the debug mode is enabled.

rtaImage (45).jpeg
rtaImage (45).jpeg1499×388 36.7 KB

Applies To

  • SAML
  • Google Workspace
  • email Attribute
  • Missing Attribute SAML

Cause

The mapping of the email attribute in the SAML connection is misconfigured.

Solution

  1. In the Auth0 Dashboard, go to Authentication > Enterprise > Custom Connections > SAML and click on your SAML connection
  2. In the Settings tab, toggle on the Debug Mode and click Save Changes
    rtaImage (46).jpeg
    rtaImage (46).jpeg1545×870 71.3 KB
  3. Go back to Authentication > Enterprise > Custom Connections > SAML , click next to your SAML connection, then click Try to test the connection.
    rtaImage (47).jpeg
    rtaImage (47).jpeg1545×328 25.8 KB
  4. Go to Monitoring > Logs and search for “w” to identify the logs with the log type Warning During Login (w) and open the log with the description: “Potential private information exposed. Consider disabling Debug Mode for connection as soon as possible.” If there is no “w” log, then Auth0 is not receiving the SAML response from the Identity Provider.
  5. In the opened log, go to:
"details": {
    "original_profile": "{here is the JSON object with escaped characters, containing the email attribute received from the Identity Provider}"

  1. Copy the email attribute. If it is not there, then the Identity Provider is not sending it for this test user, which may be due to a misconfiguration on the Identity Provider side. If we see the attribute here, but it is missing from the user profile in the Auth0 dashboard, we know that there is an issue with mapping the attribute.

  2. Go to the SAML connection (Authentication > Enterprise > Custom Connections > SAML > your SAML connection name > Mappings). Then, paste the email attribute from the JSON object in the log.

    • On the left side, put the attribute name that you want to appear on the Auth0 profile (for example, email)
    • On the right side, put the name of the incoming SAML attribute from the Identity Provider (for example, is email_address)
      rtaImage (48).jpeg
      rtaImage (48).jpeg956×788 31.6 KB

  3. Click Save Changes.

  4. Try the SAML connection and log in again.

  5. Go to Users Management > Users to check the user’s profile in the Auth dashboard or the Users list. The value of the email attribute sent through the SAML connection should now be visible.

    rtaImage (49).jpeg
    rtaImage (49).jpeg1499×313 33 KB

  6. After the email is visible under the user profile name, toggle off the Debug Mode in the SAML connection Settings and click Save Changes.