SAML Mapping issues - nested JSON mapping possible?

Just created a SAML connection, and the users are logging in and showing up as Empty (empty) in the user logs. Namely, I want the email attribute, which is missing.

I realize this is probably a SAML attribute mapping issue, so I follow the guides that mention SAML attribute mapping. I look at one user’s raw JSON:

{
    "authenticationmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
    "created_at": "yyyy-mm-dd...",
    "identities": [
        {
            "user_id": "connection_name|abc@example.com",
            "provider": "samlp",
            "connection": "connection_name",
            "isSocial": false
        }
    ],
    "issuer": "...",
    "name": "",
    "nameIdAttributes": {
        "value": "abc@example.com",
        "Format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    },
    "nickname": "",
    "picture": "https://cdn.auth0.com/avatars/default.png",
    "sessionIndex": "...",
    "updated_at": "2020-11-17T00:57:27.908Z",
    "user_id": "samlp|connection_name|abc@example.com",
    ...
}

So what I think I want to do is to add a custom mapping to the saml connection. The email attribute is at nameIdAttributes[value], so I try to put the following in the mapping json:

{
  "email": "nameIdAttributes"["value"]
}

But the editor won’t allow me to save as it’s not valid JSON. Is there another way to get the email attribute? I see that it’s also part of the user_id (“abc@example.com”) - is there a way to get the email out of the user_id?

Would appreciate any pointers here! Thanks.

Hey @julienc,

The SAML mapping comes from the SAML response sent to Auth0 by the SAML IDP, if you capture a HAR file ( https://auth0.com/docs/troubleshoot/har) we can see the SAML response, in the SAML response we should be able to see the SAML attributes sent by the IDP, the attribute which contains the email can be mapped with the “email” attribute. Users raw JSON will not reflect the attribute correctly.

Can you DM me the HAR file, I can have a look for you as well.

Thanks,
Sid

1 Like

Hey Sid,

Thanks for the reply. Will take a look at the HAR file and DM you if I can’t figure that out…

Thanks!

1 Like

Sure, let me know if you face any hiccups!

Was there a solution? I’m running into this exact same problem.

Hey sidharth.chaudhary, coming back to this:

Is it possible for me to get a HAR file of another user? It seems like the HAR file requires user to record their own HTTP archive.

I ask as this SAML connection is for another organization. Is there no other way to see how the mapping is happening?

Hey @julienc, Yes HAR file requires the User to record the HTTP network trace on their Browser.
Another way to see the original profile returned by the SAML Idp for a particular SAML connection is to enable the Debug mode on the SAML connection.

Connections -> Enterprise -> SAML -> Your SAML connection -> Settings -> Debug Mode toggle ON

Once you do that every time the user logs in using SAML connection, you will see a log with Warning Label(Type : w) on your tenant logs which will show the original profile returned.

Hope that helps!

2 Likes

thanks @sidharth.chaudhary, will try that

@sidharth.chaudhary I see the details from the log:

{
  "date": "2021-01-17T....",
  "type": "w",
  "description": "Potential private information exposed. Consider disabling `Debug Mode` for connection as soon as possible.",
  "connection": "connection_name",
  "connection_id": "connection_id",
  "client_id": "client_id",
  "client_name": "client_name",
  "ip": "a.b.c.d",
  "details": {
    "original_profile": "{\"sessionIndex\":\"id....\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"abc@xyz.com\",\"nameIdAttributes\":{\"value\":\"abc@xyz.com\",\"Format\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\"},\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\":\"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\",\"issuer\":\"issuer_id\"}"
  },
  "hostname": "hostname",
  "user_id": "",
  "user_name": "",
  "strategy": "saml",
  "strategy_type": "enterprise",
  "log_id": "log_id",
  "_id": "_id",
  "isMobile": false,
  "user_agent": "Other 0.0.0 / Other 0.0.0"
} 

Given the above, if I want to match the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier to user_name and user_email, do I just go to the connection’s Mapping section and add:

{
 "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
 "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
}

EDIT: looks like what I did did the trick!

1 Like

@julienc, Is it working for email param as well?