Map SAML attributes to user_metadata attributes

lihua.zhang · May 9, 2023, 12:13am

Last Updated: Oct 31, 2024

Overview

Help Overview

The enterprise connection( SAML Provider) returns custom attributes like Firstname, Lastname. We would like this to be mapped to user_metadata.first_name and user_metadata.last_name. How do I do this?

Applies To

SAML attribute
user_metadata attribute

Solution

The “Mappings” tab ( Auth0 Dashboard > Authentication > Enterprise > SAML > Your SAML Connection > Mappings ) cannot be used to map the attributes in SAML Assertion to the user_metadata. For example, the following mappings won’t work:

{
  "user_metadata.first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname"",
  "user_metadata.last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname""
}

It will give an error message:

“Fields with "." are not allowed, please remove all dotted fields. Example: options.fieldsMap.user_metadata.first_name”

NOTE: Instead, use the Rules/Actions. Please see case 4 in the Community FAQ How to Map SAML Attributes when Auth0 is the SP in the SAML Enterprise Connection

Here is an example rule:

function mapSamlToUserMetadata(user, context, callback){
  user.user_metadata = user.user_metadata || {};
  if (user.user_metadata.first_name === user.first_name) {
    //When the rules are executing, the SAML mapping has been done, and the SAML attributes are available as the root attribute in the user profile
    // if attribute is already available, no need to update
    callback(null, user, context);
  } else {
    user.user_metadata.first_name = user.first_name;
  }

  //Check if other SAML attributes exist and need an update

  // persist the user_metadata update
  auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
    .then(function(){
      callback(null, user, context);
    })
    .catch(function(err){
      callback(err);
    });
}

The reason to check if the SAML attributes exist and need update is to avoid the auth0.users.updateUserMetadata call as it is an expensive API call. The rules are executed in every user login (even silent authentication) flow.

NOTE: Avoid the expensive API calls in rules as much as possible.

Topic		Replies	Views
Map SAML attributes to user_metadata attributes via action Help identifier-first , login-experience	3	1521	September 26, 2024
Map SAML attributes into app_metadata & user_metadata Feedback feature-request , app_metadata , user_metadata , samlp , shibboleth , federation , saml-attributes , saml-enterprise-connections , mapping	1	995	August 23, 2023
How to map extra SAML attributes from idP into Auth0 Profile Help saml , metadata , service-provider	4	6292	July 10, 2021
Mapping Extra SAML Attributes to App Metadata Help connections , saml-enterprise-connection , deprecations	2	1773	August 29, 2023
User metadata attributes not passing via SAML Help saml , metadata , user_metadata , samlp , saml2	4	9123	November 5, 2019

Map SAML attributes to user_metadata attributes

Overview

Applies To

Solution

Related Topics