Migrating Rule to Action WS-Fed with SAML mappings

We use Auth0 to authenticate users of an ASP.NET & IIS web application via WS-Fed and a custom Rule. I’m looking into migrating the Rule to an Action but I’m not sure if what we require is currently supported with an Action.

The Rule sets the following samlConfiguration options:

// exclude the upn claim creation (defaults to true)
context.samlConfiguration.createUpnClaim = false;

// exclude the identities array (defaults to true)
context.samlConfiguration.mapIdentities = false;

// exclude claims that were not explicitly mapped (defaults to true)
context.samlConfiguration.passthroughClaimsWithNoMapping = false;

context.samlConfiguration.mappings = {
    'http://schemas.microsoft.com/ws/2008/06/identity/claims/nameidentifier': 'user_id',
    'http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress': 'email',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'user_metadata.druuiid',
    'http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname': 'given_name',
    'http://schemas.microsoft.com/ws/2008/06/identity/claims/surname': 'family_name',
    'http://schemas.microsoft.com/ws/2008/06/identity/claims/upn': 'upn',
    'http://schemas.microsoft.com/ws/2008/06/identity/claims/role': 'app_metadata.roles',
};

We then call an external web service to retrieve a user ID and list of roles based on their email; this information is then added to the user.user_metadata and user.app_metadata objects which are used by the above mappings.

I’d like to understand if what we’re currently doing is currently achiveable via an Action, if not if there is an alternative or whether we need to wait on new functionality to be added to Actions?

Edited web.xml with only relevant sections for reference:

<configuration>
    <configSections>
        <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    </configSections>
    <appSettings>
        <add key="FederationMetadataLocation" value="https://TENANT.eu.auth0.com/wsfed/FederationMetadata/2007-06/FederationMetadata.xml" />
    </appSettings>
    <system.identityModel>
        <identityConfiguration>
            <securityTokenHandlers>
                <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
                <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            </securityTokenHandlers>
        </identityConfiguration>
    </system.identityModel>
    <microsoft.identityModel>
        <service>
            <audienceUris>
                <add value="https://example.com/" />
            </audienceUris>
            <federatedAuthentication>
                <wsFederation passiveRedirectEnabled="true" issuer="https://TENANT.eu.auth0.com/wsfed" realm="https://example.com/" requireHttps="false" reply="https://example.com/map/" />
                <cookieHandler name="fedauth_001" requireSsl="false" />
            </federatedAuthentication>
            <applicationService>
                <claimTypeRequired>
                    <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
                </claimTypeRequired>
            </applicationService>
            <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                <trustedIssuers>
                    <add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="urn:auth0TENANT" />
                </trustedIssuers>
            </issuerNameRegistry>
            <certificateValidation certificateValidationMode="None" />
        </service>
    </microsoft.identityModel>
</configuration>
1 Like

Hey there!

As this topic is related to Rules - Hooks - Actions and Rules & Hooks are being deprecated soon I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!

This is now possible via a post-login action:

exports.onExecutePostLogin = async (event, api) => {

    // exclude the upn claim creation (defaults to true)
    api.samlResponse.setCreateUpnClaim(false);

    // exclude the identities array (defaults to true)
    api.samlResponse.setMapIdentities(false);

    // exclude claims that were not explicitly mapped (defaults to true)
    api.samlResponse.setPassthroughClaimsWithNoMapping(false);

    // set nameIdentifierFormat and probe
    api.samlResponse.setNameIdentifierFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
    api.samlResponse.setNameIdentifierProbes(["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"])

    // Map attributes
    var user = event.user
    api.samlResponse.setAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", user.email);
    api.samlResponse.setAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", user.user_id);
    api.samlResponse.setAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", user.given_name);
    api.samlResponse.setAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", user.family_name);

};