Overview
This article provides instructions for using Actions to customize the Security Assertion Markup Language (SAML) response by mapping attributes. Actions can add extensive or dynamic customizations to the SAML response that override the customizations configured in the Dashboard.
Applies To
- Actions
Solution
The api.samlResponse object is used to override default SAML attributes or add new attributes.
The api.samlResponse object is used to override default Security Assertion Markup Language (SAML) attributes or add new attributes. To set SAML attributes in a login action, use the api.samlResponse.setAttribute(attribute, value) method, as documented in the post-login API Object documentation.
The following examples demonstrate common use cases for this method.
- Change the SAML token lifetime and use the user principal name (UPN) as the NameID:
exports.onExecutePostLogin = async (event, api) => {
api.samlResponse.setLifetimeInSeconds(36000);
if (event.user.upn) {
api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier', 'upn');
}
};
- Include user_metadata attributes in an assertion:
exports.onExecutePostLogin = (event, api) => {
event.user.user_metadata = event.user.user_metadata || {};
event.user.user_metadata.color = 'purple';
api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/color', event.user.user_metadata.color);
};