Mapping user_id from SAML attribute other than subject

Hi,
A background for the problem is that on Idp side user with the same email address can belong to different organizations. In SAML response email address is used as a name identifier and with default setup picked up with Auth0 as a user_id. This basically means that only 1 user is created on Auth0 and login in under either organization leads to overriding User Profile what is undesired, as it should be considered as login of different user with her own permissions and setting. To mitigate that Idp provides customer attribute userId which is value uniquely identifying the user among all organizations.
So I’m looking for an option to override user_id with value which is provided in SAML response attribute userId from Idp.
What I tried to do was to setup SAML addon settings to following which did not take any effect:

{
 "mappings": {
   "user_id":     "http://schemas.auth0.com/userId"
 },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
  "nameIdentifierProbes": [
    "http://schemas.auth0.com/userId"
  ]
}

Is it feasible to achieve in Auth0

Hi @avs ,

Welcome to the Auth0 Community!

I noticed that you created a Support ticket for the same query. I will share the solution on this topic once it’s available. Hopefully, it can be helpful to other folks in our community.

Please try the Update connection endpoint of the Auth0 management API.

Here is the sample curl command:

curl --location --request PATCH 'https://{{auth0_domain}}/api/v2/connections/<CONNECTION_ID>;' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <MGMT_API_BEARER_TOKEN>
--data-raw '{
    "options": {
        "fieldsMap": {
            "name": "fullName",
            "email": "email",
            "given_name": "firstName",
            "family_name": "lastName"
        }
    }
}'
1 Like

Thank you, Lihua, that worked perfectly.

1 Like