Last Updated: Nov 12, 2024
Overview
This article discusses the scenario where it is desired to send a list of Roles that a user is a member of when sending the SAML assertion. Auth0 is the Identity Provider, and the users and roles are configured locally. The article clarifies whether it is possible for this to be sent in the SAML2 Web App Addon.
Applies To
- SAML
- Web App Addon
Solution
Unfortunately, authorization attributes such as Roles cannot be mapped in the SAML Web Addon settings. The SAML assertions must be customized using Rules, as described here: Customize SAML Assertions.
However, please note that, as mentioned in the documentation, when the context.samlConfiguration.mappings
object is used to override default SAML attributes or add new attributes, the object keys are the name of the SAML attribute to override or add, and the values are a string of the user object property to use as the attribute value.
Since the Roles are in the context object instead (context.authorization.roles), a workaround is injecting a temporary field to the user object (just make sure to NOT save it after this):
function (user, context, callback) {
user.user_metadata = user.user_metadata || {};
user.user_metadata.temp_roles = context.authorization && context.authorization.roles || [];
context.samlConfiguration.mappings = {
"http://schemas.xmlsoap.org/claims/roles": "user_metadata.temp_roles",
};
callback(null, user, context);
}
With the above example, it is possible to send the Roles in the “http://schemas.xmlsoap.org/claims/roles” attribute in the SAML assertion. Just keep in mind that setting the samlConfiguration object in a Rule will override the mappings in the SAML2 Web addon, so it is a must to add all the necessary mappings in the Rule instead (if there are any others).