SAML Connection Mapping Issue

Knowledge Solutions
, ,
1

SAML Connection Mapping Issue

Keywords: SAML mapping attribute

Problem Statement: My SAML connection began experiencing issues around May 6, 2022 seemingly due to explicitly mapped attributes - What happened?

Solution:
There was a bug fixed in the behavior of the Auth0 SAML mapping logic which could have introduced an issue into your SAML connection mapping. Prior to the introduction of the fix, the bug may have been masking an incorrect mapping. Now that the mapping behavior is fixed the incorrect mapping could be causing an unexpected result.

Previously, any unmapped attribute in the SAML response would end up in the user profile as a root attribute (stripping any namespace). So if the SAML assertion has:

<Attribute name="http://something/something/email">john.doe@okta.com</Attribute>

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">John Doe</Attribute>

Where the mapping has:

{

"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

}

The previous behavior was:

  • First the explicit mappings would run, assigning the value of the .../name attribute to the email property.
  • Then the “unmapped” attributes would be assigned. The ../email attribute has not been used in the explicit mapping, so it would be assigned as a root email property of the user, thereby overwriting the value obtained from step #1.

Now that the mapping logic is fixed, the assignment made from the explicit mapping (step #1) prevails. The unmapped ../email attribute is now ignored (because the email property was already assigned the value of another attribute, as requested in the mappings object).

If you are affected by this, you’ll need to remove any unwanted explicit mapping. E.g. if you have something like the following, the result may be undesirable and lead to issues:

{

"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

}

You can either explicitly map the right attribute to the email property:

{

"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

}

OR, if the incoming attribute is named “email” you can remove the mapping altogether and let the “unmapped” attribute logic take care of the email. This is the default behavior.

Additional SAML mapping resources: :books:

3 Likes