Newb - Rule If/Then Question

I got SAML2 working to AWS IAM with Auth0 as my IDP, with a single role. Now, I am trying to implement rules to assign different AWS roles based on user app metadata. I have it working but I am wondering if this is the most efficient route. Thoughts?

function (user, context, callback) {
	console.log('[before] user.app_metadata: ' + user.app_metadata.aws_role);
  user.app_metadata = user.app_metadata || {};

  if (user.app_metadata.aws_role === "AWS-FullAdmin") {
    user.awsRole = 'arn:aws:iam:::role/Auth0-FullAdmin,arn:aws:iam::111:saml-provider/Auth0_SAML_Provider';
if (user.app_metadata.aws_role === "AWS-ReadOnlyAccounts") {
    user.awsRole = 'arn:aws:iam::111:role/Auth0-ReadOnlyAccounts,arn:aws:iam::111:saml-provider/Auth0_SAML_Provider';
  	console.log('awsrole1 is : ' + user.awsRole);
  user.awsRoleSession =;
  context.samlConfiguration.mappings = {
    '': 'awsRole',
    '': 'awsRoleSession'

  callback(null, user, context);


I’m just trying something simple, which is: if user has app metadata aws_role value of AWS-FullAdmin, then pass the Admin specific AWS attribute. If aws_role is ReadOnly, pass the read only attribute.

Hello auth.hero, and great name! :tada:

That seems efficient to me. Was there any part you were particular concerned might be inefficient? In general, the only efficiency concerns in rules are that you avoid calling the management API too much (which you are not doing), making them too large (but your rule is very small), or making sure they end as early as possible / run quickly (which this should do).