SAML Mapbox error- make sure our application username format for Mapbox is an email address

I’m having a problem setting up Mapbox Single sign-on. I have added the IdP sign-on URL which is the SAML Protocol URL and the Issuer ID which is shown in the SAML usage tab. My issue is that when I go to test it in Mapbox I get an issue which says

" Your username does not appear to be in the form of an email address, please contact your IT admin and let them know your “subject name id” is malformed. "

How do I make my username in a form on an email address in Auth0?

Hey @joeogun, Welcome to the Auth0 Community!

Have you tried importing the users using import/export extension or import job with username as email address ?

Regards,
Sid

Hey Sid,

I don’t have users to import. I’m using the Auht0 database. But how do I import job with username as email address?

Thanks for the reply

Oh and if you mean change the name and run as an email then yea, i tried that. But how would i change the username to a email?

@joeogun, To be clear are you looking to get the email address in a particular saml attribute for SAML Mapbox?

@joeogun, Have you tried setting the name identifier in your SAML Addon(Auth0 Client) to email address to see if this helps for this particular error.

Basically some configuration like this on the add on:

"mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  },

 "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
1 Like

oh, I’m trying to change the username or user_id to an email address. I don’t know if the saml attribute will do that.

It should go in the SAML Add on

oh i have completed that. i have also emailed this to see if they can change something on there side but they responed with this.

" Erin Quinn (Mapbox)

Oct 27, 2020, 5:04 PM PDT

Hi there,

When you’re setting up Mapbox SSO, the application username (within your Identity Provider) must be in email format.
What our system is expecting would be an address like: first.last@company.com

Based on our logs, the last few instances of the Subject name must be an email address error have an Identity Provider ID where the email address should be, like: " auth0 somestringofnumbersandletters ". If you inspect your SAML assertion, it’s there that an email address should be. We recommend updating your application username to be in email format, and trying another SAML login. "

so i beleve the user_id needs to be changed.

With my change as suggested above your assertion will have email address as the Subject name

Example from my SAML assertion:

        <saml:Subject>
          <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
            sid21test@gtalk.com
          </saml:NameID>
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2020-10-28T02:57:36.164Z" Recipient="https://ap-southeast-2.signin.aws.amazon.com/platform/saml/acs/a84fbdbe-98c3-44ee-b725-ea5931a85b1c" InResponseTo="aws_miARJEkmWazP4uVq6pDFcFVAFhhglAvB"></saml:SubjectConfirmationData>
          </saml:SubjectConfirmation>
        </saml:Subject>

Can you tell me exactly which part of your SAML assertion is not as expected by Mapbox?

1 Like

This SAML addon worked! Thanks but now it seems like I need to have a role.

1 Like

Great! You encountered a new issue?

yea it’s saying

“Your login attempt did not contain a role, please contact your IT admin to learn more.”

how do i add a role to the addon?

Not sure which role the Mapbox is expecting, is this a specific SAML attribute its expecting? You might have to check from Mapbox regarding this role, In general SAML exchanges I don’t see a role attribute.

ok ill check with them

1 Like

You can always Customize the Auth0 SAML Assertions based on your requirements of the SP:

Got it. all i did was add

{
“role”: [
“root”
]
}

to app_metadata

2 Likes

Perfect! Glad you have it working now and thanks for sharing with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.