Problem statement
I’m trying to send a list of roles that user is a member of when sending the SAML assertion. In this case Auth0 is the Idenity Provider and the users and roles are configured locally. Can this be set in the SAML2 Web App add-on?
Solution
Unfortunately, it’s not possible to map authorization attributes such as Roles in the SAML Web add-on settings, you need to customize the SAML assertions using Rules, as described here:
However, please note that, as mentioned in the documentation, when the context.samlConfiguration.mappings object is used to override default SAML attributes or add new attributes, the object keys are the name of the SAML attribute to override or add and the values are a string of the user object property to use as the attribute value.
Since the roles are in the context object instead (context.authorization.roles), a workaround is injecting a temporary field to the user object (just make sure to NOT save it after this):
function (user, context, callback) {
user.user_metadata = user.user_metadata || {};
user.user_metadata.temp_roles = context.authorization && context.authorization.roles || [];
context.samlConfiguration.mappings = {
"http://schemas.xmlsoap.org/claims/roles": "user_metadata.temp_roles",
};
callback(null, user, context);
}
With the above example, you will be able to send the roles in the
“http://schemas.xmlsoap.org/claims/roles” attribute in the SAML assertion. Just keep in mind that setting the samlConfiguration object in a Rule will override the mappings you have in the SAML2 Web add-on, so you will need to add all the necessary mappings in the Rule instead (if you had any others).