Problem statement
Our enterprise connection, SAML provider, returns custom attributes like Firstname and Lastname. We want them to be mapped to user_metadata.first_name and user_metadata.last_name. How do I do this?
Solution
The “Mappings” tab ( Auth0 Dashboard > Authentication > Enterprise > SAML > Your SAML Connection > Mappings ) cannot be used to map the attributes in SAML Assertion to the user_metadata. For example, the following mappings won’t work:
{
"user_metadata.first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname"",
"user_metadata.last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname""
}
It will give an error message
"Fields with \".\" are not allowed, please remove all dotted fields. Example: options.fieldsMap.user_metadata.first_name".
Instead, we can use Rules/Actions. Please see case 4 in the Community FAQ How to Map SAML Attributes when Auth0 is the SP in the SAML Enterprise Connection.
Here is an example rule:
function mapSamlToUserMetadata(user, context, callback){
user.user_metadata = user.user_metadata || {};
if (user.user_metadata.first_name === user.first_name) {
//When the rules are executing, the SAML mapping has been done, and the SAML attributes are available as the root attribute in the user profile
// if attribute is already available, no need to update
callback(null, user, context);
} else {
user.user_metadata.first_name = user.first_name;
}
//Check if other SAML attributes exist and need an update
// persist the user_metadata update
auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
.then(function(){
callback(null, user, context);
})
.catch(function(err){
callback(err);
});
}
The reason for checking if the SAML attributes exist and need updates is to avoid the auth0.users.updateUserMetadata call because it’s an expensive API call. Rules are executed in every user login (even silent authentication) flow so we want to avoid expensive API calls in rules as much as possible.