Passing custom SAML data as ApplicationMetaData and not UserMetaData

Help
,
1

hey, I have static common XML attributes that I would like to pass for each user, I’m performing and IDP-initiated-flow using AWS Cognito <> Auth0 <> SP,

I have configured:

  1. Rule to support static data with mappings (see below)
  2. Added application metadata (see below)

but for some reason data is not passed correctly to SAML Response, if I change the mappings from client_metadata to app_metadata it works, but I would like to have same data For all users (and not setup each time).

am I’m missing something? how can I pass static XML data for every SAML response user?

thanks!

image
image471×732 31.3 KB 

function changeSamlConfiguration(user, context, callback) {
  context.samlConfiguration = context.samlConfiguration || {};
  context.samlConfiguration.audience = 'federate-uat.ipipeline.com:saml2';
  context.samlConfiguration.mapUnknownClaimsAsIs = true;
  context.samlConfiguration.mapIdentities = false;
  console.log("aAA", context.clientMetadata);
  context.samlConfiguration.mappings = {
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":     "user_id",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":       "email",
     "CompanyIdentifier":      "client_metadata.CompanyIdentifier",
  "ChannelName": "client_metadata.ChannelName",
  "Action": "client_metadata.Action",
     "Groups":      "client_metadata.Groups",
  "TimeoutURL": "client_metadata.TimeoutURL"
   };
  callback(null, user, context);
}
2

This is because the SAML mappings are always read from the user object only. In the first line of your mapping, you have set "user_id" - so when the actual mapping happens later the mapper will look for user.user_id. But there is no user.client_metadata.ChannelName so the latter part of the mapping does not work.

A trick here is to attach the attributes to the user object temporarily. For example:

user.client_metadata = client_metadata;

Now, when you specify client_metadata.ChannelName in the mapping, the mapper will later check for user.client_metadata.ChannelName which actually exists, so it’ll work.

This does not update the actual user profile. It’s just a temporary assignment that gets discarded later.

2 Likes
3

Thanks for helping on this one @thameera !

4

awesome, works - thanks!