SetCustomClaim returns a claim with attribute name containing semicolons instead of dots

Hi!
I’m trying to return claims to a SAML2-client that include a custom claim “https://myapp.example.com/favorite_color”.
The response returned to the client contain a claim with name containing semicolons like “http://schemas.auth0.com/https://myapp;example;com/favorite_color” or “https://myapp;example;com/favorite_color”, depending on the mapUnknownClaimsAsIs-setting. Se code and return belove.

Questions:

  1. How do I set a custom namespaced claim in my onExecutePostLogin-action?
  2. Are there any other settings I need to set on my application?

Code:
exports.onExecutePostLogin = async (event, api) => {
const namespace = ‘https://myapp.example.com’;

if (event.authorization) {
// Set claims
api.idToken.setCustomClaim(${namespace}/favorite_color, ‘blue’);
}
};

Result (first with mapUnknownClaimsAsIs=true):
<saml:Attribute Name=“https://myapp;example;com/favorite_color” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue xsi:type=“xs:string”>blue</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:uri” Name=“http://schemas.auth0.com/https://myapp;example;com/favorite_color”>
<saml:AttributeValue xsi:type=“xs:string”>blue</saml:AttributeValue>
</saml:Attribute>

Hi @ivar.skjoldnes

Welcome to the Auth0 Community.

Actions does not currently support the altering of SAML response mappings as per our docs here https://auth0.com/docs/customize/actions/limitations

You can use Rules though until Actions reaches parity.

Assume I have the following metadata configured against a user account:

I can add these values into the SAML response that I send out via a rule like this:

function mapSamlAttributes(user, context, callback) {
  context.samlConfiguration.mappings = {
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/food':
      'user_metadata.favorite_food',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/fullname':
      'user_metadata.full_name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/address':
      'app_metadata.shipping_address'
  };

  callback(null, user, context);
}

This results in the below when I perform a login via SAML using the same user account:

I hope this helps.

Warm regards.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.