Mapping Extra SAML Attributes to App Metadata

josiah_devizia · May 17, 2023, 1:04pm

Summary:
How can we check against custom SAML attributes in Actions without the use of a Rule to move data from the root level into app_metadata?

More Detail:

We use Auth0 to cater to our B2B use case, and we have support staff and developers that occasionally need to sign into a customer site to do some debugging or configuration management. Our staff will be logging in using a SAML enterprise connection (Auth0 is serving as the SP). Our IAM policy management would prefer that we can control which staff can sign into which customer sites with security groups in our IdP.

These groups don’t have a great root level field to map to on the Auth0 user profile, so we ideally would want to put these into app_metadata. However, SAML mappings don’t support dot notation, so we have to put them into a custom field and use a Rule to move them into app_metadata, and then perform validation later in an Action. This was the best solution I could find online, and searching for an answer is difficult since Auth0 can serve as both the IdP and SP.

I am worried our use case will be unsupported since:

To map SAML attributes to metadata, we need to use a Rule or an Action. Source (scroll down to Rueben’s case 4.)
Actions don’t support “Top-level event.user attributes added by an external IdP or custom database script”. Source
Rules and Hooks have been slated for EOL next year. Source

mamacdon-sm · May 25, 2023, 3:51pm

It looks like all user attributes (including custom fields) can be obtained via the Auth0 Management API (GET /v2/users/samlp|some-idp|someUserId). So I think something like this would work:

Your SAML connection maps SAML attributes to custom top-level user attributes.
When a user logs in, your Action fetches the user’s complete profile from the Management API and makes the validation decision based on user attributes. (You can also populate app_metadata but that might be redundant.)

But this is really not ideal as it incurs 1 call against the Management API for every SAML login, and your Action has to deal with client credentials, caching the access token, etc.

It’d be much easier if event.user exposed these fields directly.

jeffxor.williams · August 29, 2023, 4:47pm

I am also having the same issue.

We use a Rule similar to the above to move root properties to the app_metadata.

Initially, I was surprised when the entire user model was unavailable in the actions.

It would be great to understand why this is the case.

What is the correct course of action with Rule being deprecated in the near future

system · December 12, 2024, 8:15am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Map SAML attributes to user_metadata attributes via action Get Help identifier-first , login-experience	3	1751	September 26, 2024
Map SAML attributes into app_metadata & user_metadata Product Feedback feature-request , app_metadata , user_metadata , samlp , shibboleth , federation , saml-attributes , saml-enterprise-connections , mapping	1	1048	August 23, 2023
How to map extra SAML attributes from idP into Auth0 Profile Get Help saml , metadata , service-provider	4	6561	July 10, 2021
Cannot Access Mapped SAML Properties inside Custom Action Get Help saml , rules , auth0-flows	6	5180	January 5, 2022
Unlocking more customization in Actions with three new capabilities Announcements rules , hooks , access-token , saml2 , actions , saml-attributes , user-attributes , usermanagement	8	3680	April 9, 2024

Mapping Extra SAML Attributes to App Metadata

Related topics