Last Updated: Jul 25, 2025
Overview
This article provides methods to map a Security Assertion Markup Language (SAML) assertion attribute to a user’s user_metadata or app_metadata upon login. The solution can be implemented using either Actions or Rules.
Applies To
- SAML Assertion Attribute
- Actions
- Rules
Solution
There are two methods to save a SAML assertion attribute: an Action or a Rule. Actions are the recommended solution, as Rules are being deprecated. See Auth0 Rules for more details.
1. Using an Action
Create a new Action with a post-login trigger including the following code.
Replace the following placeholders in the script:
- <CONNECTION_ID>: The connection ID of the SAML connection.
- <METADATA_NAME>: The name to save the value under in the user’s metadata.
- <ASSERTION_VALUE>: The assertion value to map into the user’s metadata.
Note: each api.user.set function call saves a single field. Duplicate the lines as needed to save additional fields.
exports.onContinuePostLogin = async (event, api) => {
if (event.connection.id === "{CONNECTION_ID}") {
api.user.setAppMetadata('{METADATA_NAME}', event.user.{ASSERTION_VALUE});
api.user.setUserMetadata('{METADATA_NAME}', event.user.{ASSERTION_VALUE});
}
};
2. Using a Rule
NOTE: Rules are being deprecated and will be at EOL on November 18, 2026.
Create a new Rule using the following code.
Replace the following placeholders in the script:
- <CONNECTION_ID>: The connection ID of the SAML connection.
- <ASSERTION_VALUE>: The assertion value to map into the user’s metadata.
- <METADATA_NAME>: The name to save the value under in the user’s metadata.
Note: to save to app_metadata, change the updateUserMetadata function to updateAppMetadata.
function (user, context, callback) {
user.user_metadata = user.user_metadata || {};
if (context.connectionID !== '{CONNECTION_ID}') return callback(null, user, context);
user.user_metadata.{METADATA_NAME} = user.{ASSERTION_VALUE};
// persist the user_metadata update
auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
.then(function(){
callback(null, user, context);
})
.catch(function(err){
callback(err);
});
}