The Auth0 SAML IDP does not add custom claims

Hi,

I am working on a demo and have created an SAML IDP and SAML SP, both on Auth0. From the SAML IDP I want to have some custom claims and that I have put it in the user meta data as such

{
   "app_roles": [
     "admin",
     "basic"
  ]
}

In the SAML addon settings for the application, I have

{
  "passthroughClaimsWithNoMapping": true,
  "mapUnknownClaimsAsIs": true
}

In the rules I have

function (user, context, callback) {
  context.samlConfiguration.lifetimeInSeconds = 36000;

  context.samlConfiguration.mappings = {
      ...context.samlConfiguration.mappings,
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/app_roles": user.user_metadata.app_roles
  };
  callback(null, user, context);
}

When I am authenticated in the browser and see the SAML response from the callback url https://my-saml-test-sp.eu.auth0.com/login/callback?connection=saml-idp the custom claims are missing. Can someone please guide me with what I am missing.

Kind regards

Commenting for better reach.

Unsure if this helps, but I was dealing with something similar and found success by formatting the mappings in my rule as:

context.samlConfiguration.mappings = {
'schema-for-custom-attribute-in-user_metadata': 'user_metadata.attribute'
};

So in your case, what happens if you try:

context.samlConfiguration.mappings = {
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/app_roles': 'user_metadata.app_roles'
};

Does that make a difference?

(Full disclosure I’m very green with Auth0 and I’m still learning - I’m honestly unsure why what I have is working compared to what you have above, but I ended up stumbling on success earlier today with this)

Updating because I believe I found it in the documentation:

The context.samlConfiguration.mappings object is used to override default SAML attributes or add new attributes. The object keys are the name of the SAML attribute to override or add and the values are a string of the user object property to use as the attribute value.

So when you are updating context.samlConfiguration.mappings, you don’t need “user.” because it’s implied. And I believe the quotes are needed around it because this is only acting as a mapping to dynamically pull from the user account.

Also, user_metadata is something the user can modify, it seems that your app_roles is better suited for app_metadata. Which, double-bonus, you don’t need to put "app_metadata.attribute" in your rule, you can just put in "attribute", so that can clean it up a bit.

1 Like

That is correct! Thanks for sharing it with the rest of community!