Read SAML Response Claims from IdPs inside Actions

davidhouseknechtdev · August 15, 2022, 1:29pm

I originally asked a similar question last year (Cannot Access Mapped SAML properties Inside Custom Action). The issue still persists so I am still using a custom Rule to access the SAML response field.

I would like to migrate over to Actions since those are recommended and Rules are set to be deprecated very soon (sometime in 2022). That response states:

First, I’d like to address that we will continue to support Rules until its deprecation sometime in the second half of 2022. By that time, all of the features in Rules will be integrated and available in Actions.

I really want to use Actions but this is blocking me. My setup looks like this:

My Enterprise SAML Mappings

  "custom_saml_groups": [
	"http://schemas.auth0.com/group"
  ]

My New Action

exports.onExecutePostLogin = async (event, api) => {
  const customGroups = event.user.custom_saml_groups; // THIS DOES NOT EXIST
  if (customGroups === 'MyExpectedGroup') {
    api.user.setAppMetadata('app_group', 'SpecialGroup');
  }
}

Whereas, my current Rule still works:

function(user, context, callback) {
  const customGroups =user.custom_saml_groups; // THIS EXISTS
  if (customGroups === 'MyExpectedGroup') {
     const meta = user.app_metadata;
     meta.app_group = 'SpecialGroup';
     auth0.users.updateAppMetadata(user.user_id, meta);
  }
}

Another community member recommended fetching the user from the Management API, but SGO said that wasn’t a scalable solution because of rate limits.

Is there any update on when this will be available in Actions and/or if there is a solution out there? There is no way to map SAML claims to app_metadata so my only option is to use Rules/Actions.

Thank you,

David

karolis.mazukna · November 1, 2022, 12:36pm

Are there any updates on this issue ?

dmitriyrikberg · August 20, 2023, 7:12pm

Could you help me I am looking how to get SAML response with Rule and base on your question looks like you can read saml response but when I pooked in your saml Rule I see its only have access to use metadata but I actually need whole saml response after IDP login

davidhouseknechtdev · August 21, 2023, 2:09pm

Unfortunately, I don’t have access to the full SAML response in my Rule. The user.custom_saml_groups you see in my original post comes from my SAML mappings.

I have to know what kind of SAML claims the customer is sending me in order to add the correct mapping. Once the mapping is added, I have access to the defined field in my Rule.

Since I don’t have access to the actual SAML, I needed to communicate with my customer and have them capture the HAR file so I could inspect the SAML response that way. Once I had the raw SAML, I could easily add the needed mappings.

davidhouseknechtdev · August 21, 2023, 2:13pm

For anyone else waiting for this functionality, I reached out to Auth0 support and they informed me they are working on having this feature done late August or early September (2023). They told me to keep an eye on these two resources for updates.

I will keep an eye on these and post back here once I see something.

dmitriyrikberg · August 21, 2023, 2:18pm

Thank for your respond. Yes I am trying to figure how to get saml response that I need to pass to external idp maybe with auth0.js or any GET/POST request and so far no luck