Problem statement
I need to map the attribute email to both a “nameidentifier” and an “email” claim for a SAML assertion. On saving the mappings in the SAML 2.0 Web App addon, the second email mapping is removed from the configuration automatically.
Steps to reproduce
Create the following mapping in a SAML 2.0 Web app addon, and click save.
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"",
"email": "Email"
},
No error is shown. But upon reopening the settings window, only one email claim is seen.
Cause
The addon appears to not support multiple claims in the mappings object using the same Auth0 profile attribute.
Solution
To support multiple claims being mapped to the same profile attribute, a rule must be used instead to set the configuration, e.g:
function mapSamlAttributes(user, context, callback) {
if(context.clientID === 'YOUR_CLIENT_ID_HERE') {
context.samlConfiguration.mappings = {
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier':
'email',
'Email':
'email',
};
//Examples of setting other SAML configuration options in a rule:
context.samlConfiguration.passthroughClaimsWithNoMapping = false;
context.samlConfiguration.createUpnClaim = false;
context.samlConfiguration.mapIdentities = false;
}
callback(null, user, context);
}
Actions should be able to support this soon, after August 29th.