Send Auth0 Id as identifier instead of email after authentication is succesasfully

Hi all

So, we use Auth0 to identifiy our users (SAML2 Web App), the users will use a email + password to authenticate. Once the user is authenticated, we will send the email as the unique identifier to our end system.

The mappings look like this:

{
“mappings”: {
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userName”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userEmail”,

Is it possible to send/mapp the Auth0Id directly in the callback?

ex “userid”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userId

The SAML assertion has a list of attributes (generic claims about the user) and a “Name Identifier” to identify the user. Auth0 lets you specify all the attributes with the mappings object, and then you have the nameIdentifierProbes array to tell which attribute (of those mapped) you want to use as the name identifier. So you could have:

{
  "mappings": {
    "name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userName",
    "email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userEmail",
    "user_id":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  },
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  ]
}

The attribute names are arbitrary, but those are commonly used ones. The nameIdentifierProbes is an array because it lets you specify fallbacks (if the first attribute doesn’t have a value then use the second one, and so on). In this case, though, the user_id property will always have a value, meaning that the mapped http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier attribute will always have a value too and thus you don’t need a fallback.

2 Likes