Save a SAML Assertion Attribute to User or App Metadata Using Actions

Knowledge Articles
, , , ,
1

Last Updated: Jul 25, 2025

Overview

This article provides methods to map a Security Assertion Markup Language (SAML) assertion attribute to a user’s user_metadata or app_metadata upon login. The solution can be implemented using either Actions or Rules.

Applies To

  • SAML Assertion Attribute
  • Actions
  • Rules

Solution

There are two methods to save a SAML assertion attribute: an Action or a Rule. Actions are the recommended solution, as Rules are being deprecated. See Auth0 Rules for more details.

1. Using an Action

Create a new Action with a post-login trigger including the following code.

Replace the following placeholders in the script:

  • <CONNECTION_ID>: The connection ID of the SAML connection.
  • <METADATA_NAME>: The name to save the value under in the user’s metadata.
  • <ASSERTION_VALUE>: The assertion value to map into the user’s metadata.

Note: each api.user.set function call saves a single field. Duplicate the lines as needed to save additional fields.

exports.onContinuePostLogin = async (event, api) => {
  if (event.connection.id === "{CONNECTION_ID}") {
    api.user.setAppMetadata('{METADATA_NAME}', event.user.{ASSERTION_VALUE});
    api.user.setUserMetadata('{METADATA_NAME}', event.user.{ASSERTION_VALUE});
  }
};

2. Using a Rule

NOTE: Rules are being deprecated and will be at EOL on November 18, 2026.

Create a new Rule using the following code.

Replace the following placeholders in the script:

  • <CONNECTION_ID>: The connection ID of the SAML connection.
  • <ASSERTION_VALUE>: The assertion value to map into the user’s metadata.
  • <METADATA_NAME>: The name to save the value under in the user’s metadata.

Note: to save to app_metadata, change the updateUserMetadata function to updateAppMetadata.

function (user, context, callback) {
  user.user_metadata = user.user_metadata || {};

  if (context.connectionID !== '{CONNECTION_ID}') return callback(null, user, context);
  
  user.user_metadata.{METADATA_NAME} = user.{ASSERTION_VALUE};
  
  // persist the user_metadata update
  auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
    .then(function(){
      callback(null, user, context);
    })
    .catch(function(err){
      callback(err);
    });
}