SAML Mapping issues - nested JSON mapping possible?

julienc · November 17, 2020, 6:44am

Just created a SAML connection, and the users are logging in and showing up as Empty (empty) in the user logs. Namely, I want the email attribute, which is missing.

I realize this is probably a SAML attribute mapping issue, so I follow the guides that mention SAML attribute mapping. I look at one user’s raw JSON:

{
    "authenticationmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
    "created_at": "yyyy-mm-dd...",
    "identities": [
        {
            "user_id": "connection_name|abc@example.com",
            "provider": "samlp",
            "connection": "connection_name",
            "isSocial": false
        }
    ],
    "issuer": "...",
    "name": "",
    "nameIdAttributes": {
        "value": "abc@example.com",
        "Format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    },
    "nickname": "",
    "picture": "https://cdn.auth0.com/avatars/default.png",
    "sessionIndex": "...",
    "updated_at": "2020-11-17T00:57:27.908Z",
    "user_id": "samlp|connection_name|abc@example.com",
    ...
}

So what I think I want to do is to add a custom mapping to the saml connection. The email attribute is at nameIdAttributes[value], so I try to put the following in the mapping json:

{
  "email": "nameIdAttributes"["value"]
}

But the editor won’t allow me to save as it’s not valid JSON. Is there another way to get the email attribute? I see that it’s also part of the user_id (“abc@example.com”) - is there a way to get the email out of the user_id?

Would appreciate any pointers here! Thanks.

sidharth.chaudhary · November 17, 2020, 10:58pm

Hey @julienc,

The SAML mapping comes from the SAML response sent to Auth0 by the SAML IDP, if you capture a HAR file ( https://auth0.com/docs/troubleshoot/har) we can see the SAML response, in the SAML response we should be able to see the SAML attributes sent by the IDP, the attribute which contains the email can be mapped with the “email” attribute. Users raw JSON will not reflect the attribute correctly.

Can you DM me the HAR file, I can have a look for you as well.

Thanks,
Sid

julienc · November 18, 2020, 7:28pm

Hey Sid,

Thanks for the reply. Will take a look at the HAR file and DM you if I can’t figure that out…

Thanks!

sidharth.chaudhary · November 18, 2020, 11:51pm

Sure, let me know if you face any hiccups!

brandon.craig · November 19, 2020, 9:33pm

Was there a solution? I’m running into this exact same problem.

julienc · January 15, 2021, 1:06am

Hey sidharth.chaudhary, coming back to this:

Is it possible for me to get a HAR file of another user? It seems like the HAR file requires user to record their own HTTP archive.

I ask as this SAML connection is for another organization. Is there no other way to see how the mapping is happening?

sidharth.chaudhary · January 15, 2021, 5:32am

Hey @julienc, Yes HAR file requires the User to record the HTTP network trace on their Browser.
Another way to see the original profile returned by the SAML Idp for a particular SAML connection is to enable the Debug mode on the SAML connection.

Connections -> Enterprise -> SAML -> Your SAML connection -> Settings -> Debug Mode toggle ON

Once you do that every time the user logs in using SAML connection, you will see a log with Warning Label(Type : w) on your tenant logs which will show the original profile returned.

Hope that helps!

julienc · January 15, 2021, 11:25pm

thanks @sidharth.chaudhary, will try that

julienc · January 20, 2021, 3:02am

@sidharth.chaudhary I see the details from the log:

{
  "date": "2021-01-17T....",
  "type": "w",
  "description": "Potential private information exposed. Consider disabling `Debug Mode` for connection as soon as possible.",
  "connection": "connection_name",
  "connection_id": "connection_id",
  "client_id": "client_id",
  "client_name": "client_name",
  "ip": "a.b.c.d",
  "details": {
    "original_profile": "{\"sessionIndex\":\"id....\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"abc@xyz.com\",\"nameIdAttributes\":{\"value\":\"abc@xyz.com\",\"Format\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\"},\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\":\"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\",\"issuer\":\"issuer_id\"}"
  },
  "hostname": "hostname",
  "user_id": "",
  "user_name": "",
  "strategy": "saml",
  "strategy_type": "enterprise",
  "log_id": "log_id",
  "_id": "_id",
  "isMobile": false,
  "user_agent": "Other 0.0.0 / Other 0.0.0"
}

Given the above, if I want to match the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier to user_name and user_email, do I just go to the connection’s Mapping section and add:

{
 "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
 "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
}

EDIT: looks like what I did did the trick!

sidharth.chaudhary · January 20, 2021, 3:38am

@julienc, Is it working for email param as well?