Last Updated: Oct 31, 2024
Overview
Help Overview
The enterprise connection( SAML Provider) returns custom attributes like Firstname, Lastname. We would like this to be mapped to user_metadata.first_name and user_metadata.last_name. How do I do this?
Applies To
- SAML attribute
- user_metadata attribute
Solution
- The “Mappings” tab ( Auth0 Dashboard > Authentication > Enterprise > SAML > Your SAML Connection > Mappings ) cannot be used to map the attributes in SAML Assertion to the user_metadata. For example, the following mappings won’t work:
{
"user_metadata.first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname"",
"user_metadata.last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname""
}
- It will give an error message:
“Fields with "." are not allowed, please remove all dotted fields. Example: options.fieldsMap.user_metadata.first_name”
NOTE: Instead, use the Rules/Actions. Please see case 4 in the Community FAQ How to Map SAML Attributes when Auth0 is the SP in the SAML Enterprise Connection
Here is an example rule:
function mapSamlToUserMetadata(user, context, callback){
user.user_metadata = user.user_metadata || {};
if (user.user_metadata.first_name === user.first_name) {
//When the rules are executing, the SAML mapping has been done, and the SAML attributes are available as the root attribute in the user profile
// if attribute is already available, no need to update
callback(null, user, context);
} else {
user.user_metadata.first_name = user.first_name;
}
//Check if other SAML attributes exist and need an update
// persist the user_metadata update
auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
.then(function(){
callback(null, user, context);
})
.catch(function(err){
callback(err);
});
}
The reason to check if the SAML attributes exist and need update is to avoid the auth0.users.updateUserMetadata call as it is an expensive API call. The rules are executed in every user login (even silent authentication) flow.
NOTE: Avoid the expensive API calls in rules as much as possible.