I have followed this post:
to a very simple implementation. No filtering for an application/client ID, no resolving of existing data and mapping, just trying to hard code a single custom SAML attribute for testing.
Action(deployed):
exports.onExecutePostLogin = async (event, api) => {
api.samlResponse.setAttribute(‘http://example.com/protoTypeName’, “protoType1”);
};
I have a single application using SAML using the saml2 web add-on. I have tried both mapping this value and not mapping the value in the bindings section:
“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”,
“protoTypeName”: “http://example.com/protoTypeName”
},
This attribute never shows up in the response attributes. What am I missing?
Hi @jonathan.hughes
Just to make sure, in your scenario, your Auth0 Tenant acts as the IdP for the SAML connection used right?
If that is correct, by simply using the code you provided inside a Post-Login Action the custom attribute should be visible. I have tested this out on my end and when I decoded the response via the SamlTool, the attribute was visible:
Attributes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
auth0|{{user_id}}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
{{user_email}}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
{{user.name}}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Jack
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Daniels
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
{{user.email}}
http://schemas.auth0.com/identities/default/connection
Username-Password-Authentication
http://schemas.auth0.com/identities/default/provider
auth0
http://schemas.auth0.com/identities/default/isSocial
false
http://schemas.auth0.com/clientID
{{client_id}}
http://schemas.auth0.com/created_at
2025-01-08T13:07:22.142Z
http://schemas.auth0.com/email_verified
true
http://schemas.auth0.com/nickname
{{user.nickname}}
http://schemas.auth0.com/picture
{{profilePicture_url}}
http://schemas.auth0.com/updated_at
2025-09-17T16:40:55.602Z
http://schemas.auth0.com/last_password_reset
2025-02-26T23:29:52.360Z
http://schemas.auth0.com/tenant
{{IDP_TenantName}}
http://schemas.auth0.com/multifactor
guardian
http://example.com/protoTypeName
protoType1
If you have any other questions, let me know!
Kind Regards,
Nik
Yes, I am using Auth0 as the IdP. I do agree that it should work, but it’s not. My service provider has similar logging where I see all the attributes from the response and there is no difference in that result or that tool, the custom claim just isn’t there.
@nik.baleca Were you using the SAML2 Web App add on during your test or some other setup? If so, did you use this value in the mappings section or not? Looking to find any difference in what you tested vs what i’m doing.
Yes, I am using the SAML2 Web App Addon. I have not changed any mappings in the addon’s setting page, I have only added the same code as you did in the Post-Login Action:
exports.onExecutePostLogin = async (event, api) => {
api.samlResponse.setAttribute("http://example.com/protoTypeName", "protoType1");
};
Just to be sure, are you able to preview the SAML Attributes during the login process on the SP’s side or are you expecting for the attribute to be displayed on the returned user profile?
By any chance, have you tried to retrieve the SAML Response from the browser’s Network Activity and decode it using the provided website?
Kind Regards,
Nik
I am only expecting these to show up in the response, not the user profile.
I can extract the response from the service provider logs or web traffic both are identical and missing this attribute.
I am using just the default configuration with updated URL’s from the add on example. Is there something here that could be causing a difference in behavior than your experience?
{
“audience”: “https://127.0.0.1:8443/saml/”,
“recipient”: “https://127.0.0.1:8443/saml/assertionConsumerService”,
“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”
},
“createUpnClaim”: true,
“passthroughClaimsWithNoMapping”: true,
“mapUnknownClaimsAsIs”: false,
“mapIdentities”: true,
“signatureAlgorithm”: “rsa-sha256”,
“digestAlgorithm”: “sha256”,
“destination”: “https://127.0.0.1:8443/saml/assertionConsumerService”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“typedAttributes”: true,
“includeAttributeNameFormat”: true,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
“nameIdentifierProbes”: [
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”
],
“authnContextClassRef”: “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”,
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
}
Hi again,
Inside the SAML2 Addon, can you try mapping this flag and let me know if there are any differences?
"mapUnknownClaimsAsIs": true
Kind Regards,
Nik