Auth0 Home Blog Docs

Newb - Rule If/Then Question

I got SAML2 working to AWS IAM with Auth0 as my IDP, with a single role. Now, I am trying to implement rules to assign different AWS roles based on user app metadata. I have it working but I am wondering if this is the most efficient route. Thoughts?

function (user, context, callback) {
	console.log('[before] user.app_metadata: ' + user.app_metadata.aws_role);
  user.app_metadata = user.app_metadata || {};

  if (user.app_metadata.aws_role === "AWS-FullAdmin") {
    user.awsRole = 'arn:aws:iam:::role/Auth0-FullAdmin,arn:aws:iam::111:saml-provider/Auth0_SAML_Provider';
if (user.app_metadata.aws_role === "AWS-ReadOnlyAccounts") {
    user.awsRole = 'arn:aws:iam::111:role/Auth0-ReadOnlyAccounts,arn:aws:iam::111:saml-provider/Auth0_SAML_Provider';
  	console.log('awsrole1 is : ' + user.awsRole);
  user.awsRoleSession =;
  context.samlConfiguration.mappings = {
    '': 'awsRole',
    '': 'awsRoleSession'

  callback(null, user, context);


I’m just trying something simple, which is: if user has app metadata aws_role value of AWS-FullAdmin, then pass the Admin specific AWS attribute. If aws_role is ReadOnly, pass the read only attribute.