Read SAML Response Claims from IdPs inside Actions

I originally asked a similar question last year (Cannot Access Mapped SAML properties Inside Custom Action). The issue still persists so I am still using a custom Rule to access the SAML response field.

I would like to migrate over to Actions since those are recommended and Rules are set to be deprecated very soon (sometime in 2022). That response states:

First, I’d like to address that we will continue to support Rules until its deprecation sometime in the second half of 2022. By that time, all of the features in Rules will be integrated and available in Actions.

I really want to use Actions but this is blocking me. My setup looks like this:

My Enterprise SAML Mappings

  "custom_saml_groups": [

My New Action

exports.onExecutePostLogin = async (event, api) => {
  const customGroups = event.user.custom_saml_groups; // THIS DOES NOT EXIST
  if (customGroups === 'MyExpectedGroup') {
    api.user.setAppMetadata('app_group', 'SpecialGroup');

Whereas, my current Rule still works:

function(user, context, callback) {
  const customGroups =user.custom_saml_groups; // THIS EXISTS
  if (customGroups === 'MyExpectedGroup') {
     const meta = user.app_metadata;
     meta.app_group = 'SpecialGroup';
     auth0.users.updateAppMetadata(user.user_id, meta);

Another community member recommended fetching the user from the Management API, but SGO said that wasn’t a scalable solution because of rate limits.

Is there any update on when this will be available in Actions and/or if there is a solution out there? There is no way to map SAML claims to app_metadata so my only option is to use Rules/Actions.

Thank you,


1 Like

Are there any updates on this issue ?

Could you help me I am looking how to get SAML response with Rule and base on your question looks like you can read saml response but when I pooked in your saml Rule I see its only have access to use metadata but I actually need whole saml response after IDP login

Unfortunately, I don’t have access to the full SAML response in my Rule. The user.custom_saml_groups you see in my original post comes from my SAML mappings.

I have to know what kind of SAML claims the customer is sending me in order to add the correct mapping. Once the mapping is added, I have access to the defined field in my Rule.

Since I don’t have access to the actual SAML, I needed to communicate with my customer and have them capture the HAR file so I could inspect the SAML response that way. Once I had the raw SAML, I could easily add the needed mappings.

For anyone else waiting for this functionality, I reached out to Auth0 support and they informed me they are working on having this feature done late August or early September (2023). They told me to keep an eye on these two resources for updates.

I will keep an eye on these and post back here once I see something.

Thank for your respond. Yes I am trying to figure how to get saml response that I need to pass to external idp maybe with auth0.js or any GET/POST request and so far no luck

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!

For posterity, this feature has been implemented in Actions now. I made the switch from Rules to Actions this morning, and our SAML mappings and Action logic are working as expected. Very thankful for all the hard work in getting this in!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.