Temporarily Editing or Anonymising User Attributes Using Actions for Custom SAML Assertion

Problem statement

There is a requirements around anonymizing user PII prior to sending it in the SAML assertion.

Solution

Actions can support custom variables / calculated variables to be sent as attributes if required instead of using pre-existing user data. For example, the below shows how to send a redacted nickname claim in the SAML assertion:

exports.onExecutePostLogin = async (event, api) => {
   const anonStr = 'Anonymous';
   const anonNickname = anonStr + ' ' + anonStr;

   api.samlResponse.setAttribute("http://schemas.auth0.com/nickname", anonNickname);
};

User attributes can also be modified at runtime within the context of an individual action, but note that these changes will not persist between different Actions in your flow - the event object is read-only.

exports.onExecutePostLogin = async (event, api) => {
   const anonStr = 'Anonymous';
   event.user.nickname = anonStr + ' ' + anonStr;

   api.samlResponse.setAttribute("http://schemas.auth0.com/nickname",event.user.nickname)
};