Passing custom SAML data as ApplicationMetaData and not UserMetaData

avivk · August 11, 2022, 8:08am

hey, I have static common XML attributes that I would like to pass for each user, I’m performing and IDP-initiated-flow using AWS Cognito <> Auth0 <> SP,

I have configured:

Rule to support static data with mappings (see below)
Added application metadata (see below)

but for some reason data is not passed correctly to SAML Response, if I change the mappings from client_metadata to app_metadata it works, but I would like to have same data For all users (and not setup each time).

am I’m missing something? how can I pass static XML data for every SAML response user?

thanks!

function changeSamlConfiguration(user, context, callback) {
  context.samlConfiguration = context.samlConfiguration || {};
  context.samlConfiguration.audience = 'federate-uat.ipipeline.com:saml2';
  context.samlConfiguration.mapUnknownClaimsAsIs = true;
  context.samlConfiguration.mapIdentities = false;
  console.log("aAA", context.clientMetadata);
  context.samlConfiguration.mappings = {
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":     "user_id",
     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":       "email",
     "CompanyIdentifier":      "client_metadata.CompanyIdentifier",
  "ChannelName": "client_metadata.ChannelName",
  "Action": "client_metadata.Action",
     "Groups":      "client_metadata.Groups",
  "TimeoutURL": "client_metadata.TimeoutURL"
   };
  callback(null, user, context);
}

thameera · August 12, 2022, 6:14am

This is because the SAML mappings are always read from the user object only. In the first line of your mapping, you have set "user_id" - so when the actual mapping happens later the mapper will look for user.user_id. But there is no user.client_metadata.ChannelName so the latter part of the mapping does not work.

A trick here is to attach the attributes to the user object temporarily. For example:

user.client_metadata = client_metadata;

Now, when you specify client_metadata.ChannelName in the mapping, the mapper will later check for user.client_metadata.ChannelName which actually exists, so it’ll work.

This does not update the actual user profile. It’s just a temporary assignment that gets discarded later.

konrad.sopala · August 12, 2022, 8:06am

Thanks for helping on this one @thameera !

avivk · August 14, 2022, 7:19am

awesome, works - thanks!

Topic		Replies	Views
Passing CDATA as custom SAML data using rules Help saml , cognito	1	1983	January 8, 2024
User metadata attributes not passing via SAML Help saml , metadata , user_metadata , samlp , saml2	4	9132	November 5, 2019
User Metadata not showing up in SAML2 Web App Response Help application , addons	4	537	February 16, 2024
Map SAML attributes to user_metadata attributes via action Help identifier-first , login-experience	3	1528	September 26, 2024
Map SAML attributes into app_metadata & user_metadata Feedback feature-request , app_metadata , user_metadata , samlp , shibboleth , federation , saml-attributes , saml-enterprise-connections , mapping	1	997	August 23, 2023

Passing custom SAML data as ApplicationMetaData and not UserMetaData

Related topics