Problem statement
- Auth0 Customers need to be able to create SAML connections to Azure AD when the pre-built OIDC connector does not suffice, and mapping properties from Azure to Auth0 can sometimes be challenging to figure out
Solution
-
Ensure you have registered Azure as a SAML provider and created a custom SAML enterprise connection in auth0. Steps to do this can be found here
-
In the Auth0 SAML connection settings, turn “sync user profile attributes at each login” on. This will make sure when you update mappings the profile gets reflected from the last update.
-
Next, make sure to set the claims you want to be passed over in your SAML provider on the Azure side (Home → Enterprise Applications → {Name of your SAML App in Azure} → SIngle Sign On → Attributes and Claims).
For example, if you are wanting to send company name, create a claim with the namespace “http://schemas.xmlsoap.org/ws/2005/05/identity/claims” (or any namespace of your choosing) and the name “companyname”, and select the source attribute in the dropdown for the user property user.companyname.
- The final step, if you want to control the names of the properties in auth0 is to set the mappings of the end profile property to the ones sent over from azure (example below converting companyname to company_name).
Ultimately the profile should be loaded with the property named as you defined it on the left side of the mapping
And the property name should show up in the root Auth0 user profile after signing in
NOTE: The mapping is technically not needed. If no mapping is present, the attributes sent over will come through in the auth0 profile with a property name equivalent to the last section of the namespace. If you want to convert the property name to something different, set a mapping up similar to the above