SAML User with IdP-Initiated is Not Sending the Email in the ID Token

rueben.tiow · March 8, 2024, 9:59pm

Problem statement

SAML user profile contains email, but when the user tries to log in with the IdP-initiated flow, the generated ID token does not contain email.

Solution

The Query String in the IdP-initiated flow (Dashboard > Authentication > Enterprise > SAML > select the specific SAML connection (tinuiti in this case) > IdP-initiated SSO tab > IdP-initiated SSO Behavior > Query String )
should include protocol-specific values, such as scope, response_type, redirect_uri, and audience. These values should match the ones the application expects when using an SP-initiated flow.

The email attribute should be present in the token if the email is included in the requested scope.

For example:

scope=openid email profile

Topic		Replies	Views
SAML as Service Provider - Missing Profile Help saml , profile , scope	2	4029	September 3, 2019
Email missing in idtoken for idp initiated SSO login using ADFS Help adfs , idp-initiated	6	4774	July 2, 2019
Problem with IdP-initated SAML login flow Help connections , saml-enterprise-connection	0	892	April 11, 2023
IdP-Initiated SSO Behaving differently with Google Workspaces Help saml2 , idp-initiated	0	2075	May 12, 2022
Flow for IDP Initiated SSO/SAML Help saml , idp-initiated	2	4597	December 24, 2018

SAML User with IdP-Initiated is Not Sending the Email in the ID Token

Problem statement

Solution

Related Topics