Mapping SAML attributes from IDP to Auth0 profile

sahuguet · February 24, 2020, 5:56pm

This is related to SAML Mapping: No attributes map and Map SAML Attribute Statements received from an external IdP and convert them to claims .

Here is my set-up: Auth0 as SP + Shibbeloth as IDP.
The SMAL connection works fine, but I am only getting back information for sub. The rest of the fields are empty.

From the Auth0 dashboard, I can see all the data returned by the IDP, see below.
How do I map them to Auth0 attributes?
I have tried to add something like

{
  "name": "urn:oid:2:5:4:3"
}

in the mapping file, but with no result.

Arnaud

From the User Details / Raw JSON screen

{
    "authenticationmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
    "created_at": "2020-02-17T17:09:28.580Z",
    "identities": [
        {
            "user_id": "_____________|as3760",
            "provider": "samlp",
            "connection": "_____________",
            "isSocial": false
        }
    ],
    "issuer": "https://shibidp.cit.++++++.edu/idp/shibboleth",
    "name": "",
    "nameIdAttributes": {
        "value": "as3760",
        "NameQualifier": "https://shibidp.cit.++++++.edu/idp/shibboleth",
        "SPNameQualifier": "urn:auth0:dev-an4forh7:_____________",
        "Format": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
    },
    "nickname": "",
    "picture": "https://cdn.auth0.com/avatars/default.png",
    "sessionIndex": "_877ebd1abfe15bd7e64f8cdd29cb849e",
    "updated_at": "2020-02-21T21:23:41.171Z",
    "urn:oid:0:9:2342:19200300:100:1:1": "as3760",
    "urn:oid:0:9:2342:19200300:100:1:3": "as3760@++++++.edu",
    "urn:oid:1:3:6:1:4:1:5923:1:1:1:1": [
        "member",
        "staff",
        "employee"
    ],
    "urn:oid:1:3:6:1:4:1:5923:1:1:1:3": "o=++++++ University,c=US",
    "urn:oid:1:3:6:1:4:1:5923:1:1:1:5": "staff",
    "urn:oid:1:3:6:1:4:1:5923:1:1:1:6": "as3760@++++++.edu",
    "urn:oid:1:3:6:1:4:1:5923:1:1:1:7": [
        "urn:mace:dir:entitlement:common-lib-terms",
        "urn:mace:++++++.edu:zoom:user",
        "urn:mace:oclc.org:100-155-803",
        "urn:mace:++++++.edu:lynda:user",
        "urn:mace:incommon:entitlement:common:1",
        "urn:mace:++++++.edu:labarchives:user"
    ],
    "urn:oid:1:3:6:1:4:1:5923:1:1:1:9": [
        "member@++++++.edu",
        "staff@++++++.edu",
        "employee@++++++.edu"
    ],
    "urn:oid:2:16:840:1:113730:3:1:241": "Arnaud SAHUGUET",
    "urn:oid:2:5:4:3": "Arnaud SAHUGUET",
    "urn:oid:2:5:4:4": "SAHUGUET",
    "urn:oid:2:5:4:42": "Arnaud",
    "user_id": "samlp|_____________|as3760",
    "last_ip": "128.84.95.115",
    "last_login": "2020-02-21T21:23:41.171Z",
    "logins_count": 29,
    "blocked_for": [],
    "guardian_authenticators": []
}
```

jmangelo · February 25, 2020, 10:02am

The best way to do the mappings is to capture the actual SAML response from the IdP and check the attribute names from there. There’s a situation where an unmapped attribute coming from the IdP will have it’s name normalized to not contain any dots.

For example, if the incoming attribute is urn:oid:2.5.4.3 it will be normalized to urn:oid:2:5:4:3 unless mapped which means using the normalized name in mapping won’t work.

The best thing would be to look at the response, but you can also quickly try the following mapping:

{
  "name": "urn:oid:2.5.4.3"
}

Notice the use of . instead of : in the part after urn:oid:; the same logic could also be applied to the other attributes, but as I mentioned before when in doubt check the actual SAML response or the IdP provider documentation for the actual attribute names.

sahuguet · February 25, 2020, 4:52pm

That did the trick. Thank you

This is now what I can get from the Tester app.

  "sub": "samlp|cornelltech|as3465",
  "nickname": "",
  "name": "Arnaud SAHUGUET",
  "picture": "https://s.gravatar.com/avatar/c2de7a8537271b0dbf53cc65d76d9664?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fas.png",
  "updated_at": "2020-02-25T16:46:32.311Z"
}

I would like to add more fields.
When I do, I don’t see them in the result and the only option seems to repurpose existing fields to map more information.

Am I missing something? I thought you could add arbitrary fields from the mapping file.

jmangelo · February 26, 2020, 10:28am

That would be an ID token issued by Auth0 after the user has completed authentication. The amount of information included automatically in ID tokens will in general depend on two things:

the scopes the application requested (Final: OpenID Connect Core 1.0 incorporating errata set 1).
based on the scopes requests which standard claims associated with these scopes are present in the user.

For example, requesting scope=openid email will return an email attribute if that attribute is present in the user. Given that ID token includes name the application is likely requesting the profile scope (see which claims are associated to which scopes in the link above).

In addition to standard OIDC claims that can be included in the ID token simply by requesting scopes you can also explicitly add arbitrary data in custom claims through the use of rules (OpenID Connect Scopes).

sahuguet · February 27, 2020, 3:16pm

That did the trick.

I looked at the user profile page to see what attributes are available.
I created simple mapping like this:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'roles'] = user['urn:oid:1:3:6:1:4:1:5923:1:1:1:9'];
  context.idToken[namespace + 'preferred_contact'] = 'N/A';
  callback(null, user, context);
}

Thanks so much.

konrad.sopala · February 27, 2020, 4:25pm

Perfect! Glad to hear that!

system · March 13, 2020, 4:25pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.