Problem statement
A SAML add-on configuration has been deliberately configured with two “email” attributes.
{
"mappings": {
"given_name": "First Name",
"family_name": "Last Name",
"email": "Email",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier""
},
"passthroughClaimsWithNoMapping": false,
"createUpnClaim": false,
"mapIdentities": false
}
However the “email”: “Email” attribute is absent from the output of the mapping.
It seems like the same email attribute cannot be mapped to different SAML Attributes twice.
Cause
This is a limitation of the SAML add-on: it automatically clears the duplicated email entry upon saving. The solution to this issue is to map the same attribute multiple times through a Rule.
Solution
Provide this mapping configuration within a Rule. It is then possible to have the “email” be both ‘nameidentifier’ and an ‘email’ claim. The configuration is very similar, except the Auth0 attribute is the right-hand parameter when setting this up in a Rule:
function mapSamlAttributes(user, context, callback) {
if(context.clientID === 'YOUR_CLIENT_ID_HERE') {
context.samlConfiguration.mappings = {
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier':
'email',
'Email':
'email',
'First Name': 'given_name',
'Last Name': 'family_name',
'RoleID' : 'groups'
};
context.samlConfiguration.passthroughClaimsWithNoMapping = false;
context.samlConfiguration.createUpnClaim = false;
context.samlConfiguration.mapIdentities = false;
}
callback(null, user, context);
}