Overview
This article explains how to use a value other than the Auth0-generated ID for the user in a SAML response.
Applies To
- SAML Connection
Cause
Currently, it is not possible to change the User ID format, as this is created programmatically from the incoming attribute from the Identity Provider, appending it with the prefix like below. The section bolded below will always be prefixed to what you map to the user ID:
samlp|<SAML_CONNECTION_NAME>|<ATTRIBUTE_MAPPED_TO_USER_ID>
By default, if not specified, Auth0 will try to map the last part of the ID from the first of these attributes found in the response:
"user_id": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
]
Solution
Whilst it is not possible to change the prefix of the user ID Auth0 will use, it is possible to store another ID on the user profile, for example:
{
"user_id": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name""
],
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"",
"given_name": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name""
],
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"",
"groups": "http://schemas.xmlsoap.org/claims/Group""
"saml_user_id" : "<incoming SAML attribute here>"
}
This additional ID could in turn, be added to tokens, if required, to allow an alternative mechanism for identifying the user: