Problem statement
A tenant has been configured with an Enterprise SAML connection:
- Auth0 has been configured in the role of Service Provider (SP)
- Shibboleth is acting as the Identity Provider (IdP)
The first_name, last_name, and email_address SAML mappings do not work as expected.
When a user attempts to log in to the application, the following error is thrown.
HTTP 403 Forbidden
Symptoms
If the user profile is inspected, only the username has been captured. The first_name, last_name, and email_address attributes are absent from the user profile. So it is possible to conclude that the SAML mapping process is not working as expected.
NOTE: the application requires the mapping of the email_address because a second level of authorization is performed. The absence of this attribute is the likely reason why the 403 error is encountered.
Troubleshooting
- Check the tenant logs for instances of this error condition.
- Capture a HAR file of the attempted login flow, up to the point where the HTTP 403 error is encountered. For further information, refer to Generate and Analyze HAR Files. Use a tool such as SAMLTool to decode and inspect the SAML response from the IdP. In this type of fault scenario, one or more attributes that are returned from the IdP will be incorrectly mapped or absent altogether.
Cause
In this sample case, several attributes that originated with the Identity Provider (Shibboleth) had not been correctly mapped. Specifically, these were the first_name, last_name, and email_address attributes.
Solution
This type of attribute mapping problem is not specific to Shibboleth. It may be encountered when using other types of Identity Providers.
To implement the desired attribute mappings, follow the instructions in User Profile Attributes are Incorrect.