SAML Custom Attributes

I have followed this post:

to a very simple implementation. No filtering for an application/client ID, no resolving of existing data and mapping, just trying to hard code a single custom SAML attribute for testing.

Action(deployed):

exports.onExecutePostLogin = async (event, api) => {

api.samlResponse.setAttribute(‘http://example.com/protoTypeName’, “protoType1”);

};

I have a single application using SAML using the saml2 web add-on. I have tried both mapping this value and not mapping the value in the bindings section:

“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”,
“protoTypeName”: “http://example.com/protoTypeName”
},

This attribute never shows up in the response attributes. What am I missing?

Hi @jonathan.hughes

Just to make sure, in your scenario, your Auth0 Tenant acts as the IdP for the SAML connection used right?

If that is correct, by simply using the code you provided inside a Post-Login Action the custom attribute should be visible. I have tested this out on my end and when I decoded the response via the SamlTool, the attribute was visible:

Attributes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
auth0|{{user_id}}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
{{user_email}}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
{{user.name}}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Jack
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Daniels
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
{{user.email}}
http://schemas.auth0.com/identities/default/connection
Username-Password-Authentication
http://schemas.auth0.com/identities/default/provider
auth0
http://schemas.auth0.com/identities/default/isSocial
false
http://schemas.auth0.com/clientID
{{client_id}}
http://schemas.auth0.com/created_at
2025-01-08T13:07:22.142Z
http://schemas.auth0.com/email_verified
true
http://schemas.auth0.com/nickname
{{user.nickname}}
http://schemas.auth0.com/picture
{{profilePicture_url}}
http://schemas.auth0.com/updated_at
2025-09-17T16:40:55.602Z
http://schemas.auth0.com/last_password_reset
2025-02-26T23:29:52.360Z
http://schemas.auth0.com/tenant
{{IDP_TenantName}}
http://schemas.auth0.com/multifactor
guardian
http://example.com/protoTypeName
protoType1

If you have any other questions, let me know!

Kind Regards,
Nik

Yes, I am using Auth0 as the IdP. I do agree that it should work, but it’s not. My service provider has similar logging where I see all the attributes from the response and there is no difference in that result or that tool, the custom claim just isn’t there.

@nik.baleca Were you using the SAML2 Web App add on during your test or some other setup? If so, did you use this value in the mappings section or not? Looking to find any difference in what you tested vs what i’m doing.

Yes, I am using the SAML2 Web App Addon. I have not changed any mappings in the addon’s setting page, I have only added the same code as you did in the Post-Login Action:

exports.onExecutePostLogin = async (event, api) => {

api.samlResponse.setAttribute("http://example.com/protoTypeName", "protoType1");

};

Just to be sure, are you able to preview the SAML Attributes during the login process on the SP’s side or are you expecting for the attribute to be displayed on the returned user profile?

By any chance, have you tried to retrieve the SAML Response from the browser’s Network Activity and decode it using the provided website?

Kind Regards,
Nik

I am only expecting these to show up in the response, not the user profile.

I can extract the response from the service provider logs or web traffic both are identical and missing this attribute.

I am using just the default configuration with updated URL’s from the add on example. Is there something here that could be causing a difference in behavior than your experience?

{
“audience”: “https://127.0.0.1:8443/saml/”,
“recipient”: “https://127.0.0.1:8443/saml/assertionConsumerService”,
“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”
},
“createUpnClaim”: true,
“passthroughClaimsWithNoMapping”: true,
“mapUnknownClaimsAsIs”: false,
“mapIdentities”: true,
“signatureAlgorithm”: “rsa-sha256”,
“digestAlgorithm”: “sha256”,
“destination”: “https://127.0.0.1:8443/saml/assertionConsumerService”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“typedAttributes”: true,
“includeAttributeNameFormat”: true,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
“nameIdentifierProbes”: [
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”
],
“authnContextClassRef”: “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”,
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
}

Hi again,

Inside the SAML2 Addon, can you try mapping this flag and let me know if there are any differences?

 "mapUnknownClaimsAsIs": true

Kind Regards,
Nik

Unfortunately no change.

By any chance, even if the custom attribute is not forwarded in the SAML Response, is it by any chance available in the user’s RAW JSON under User Management → Users → Select SAML User → RAW JSON?

Kind Regards,
Nik

No, the attribute is not in the RAW JSON.

Could you send me a DM with the tenant name so I can go ahead and check out the configuration myself?

Kind Regards,
Nik

Hi again!

As far as I have checked on the tenant, the configuration of the SAML Addon looks fine, however, the only issues that I noticed are:

• The action in which you add the attribute does not appear to be bound, I can see that it has been deployed but not bound to any trigger.
• In similar fashion, checking your logs for any login using the SAML connection, the successful logins do not have any Action Executions logs. Whenever a successful login is performed and there is an action which triggers, you should have different tabs:
  RAW Data/Context Data/Actions Executions

Could you let me know that you have bounded the action and are still unable to see the attribute? Otherwise, once you have performed another login using the SAML connection, I will check the tenant again and the logs.

Kind Regards,
Nik

Thank you for the pointer. I thought I had already created the trigger when I made the action but apparently I didn’t. The action is now running and I am seeing the attribute.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.