Overview
This article will outline a key difference when mapping SAML attributes in the SAML2 AddOn versus when one maps these attributes in a Post-Login Action.
Applies To
- SAML AddOn
- Auth0 as SAML IdP
- Post-Login Actions
- SAML mapping
Cause
Solution
The primary difference between the two methods of mapping attributes is that the SAML2 AddOn executes first during a user’s login transaction, while the Post-Login Action executes afterward.
- This is a notable distinction if the mappings in the SAML2 AddOn rely on certain user profile attributes that are added in a Post-Login Action. Below is a sample use case where this distinction is made clear:
- On first login, a user must authenticate via the SAML2 AddOn, and the mappings, included in the outgoing SAML Response, must include pieces of metadata, which are only added on first login within a Post-Login Action.
If the mappings are set up in the SAML2 AddOn, the above use case will fail since the user’s metadata will be updated in the Post-Login Action after the SAML2 AddOn configuration has already been executed.
The solution for this type of use case is to migrate the mappings logic into a Post-Login Action so the SAML Response can be populated with the appropriate attributes upon first login.