Transforming SAML token attributes

deimosthenes · July 15, 2021, 4:02am

Hi there,

I’m using the SAML2 Web App addon to provide identity for another system that I have limited control over, and am running into an issue I’m struggling to find a nice solution for.

I’ve got some claims sitting in the app_metadata of my users that I need to provide to the SAML token, but this claims data is structured differently inside app_metadata than the other system is expecting to receive.

My app metadata for a user might look something like this:

{
"claims": [
    {
      "type": "groupId",
      "value": "1"
    },
    {
      "type": "groupId",
      "value": "2"
    },
    {
      "type": "someOtherClaimType",
      "value": "foo"
    }
  ]
}

whereas I want to be providing a string array of groupIds into the SAML token:

"groupIds": ["1", "2"]

E.g. filtering to the claims of a certain type, and flattening out the values into an array.

The documentation Customize SAML Assertions goes into providing data mappings and suggests using Rules for more complicated mapping behaviour.
But even in that scenario it seemed to be about providing a static mapping between fields on an Auth0 profile and the output attributes in the SAML token, rather than providing logic to transform/filter those profile fields on the fly.

What I’d ideally like to be able to do is have a javascript code snippet sitting in a Rule that ran when someone logged in and built up the correct output attribute.
What I’ve got at the moment is a rule that builds up my attribute in the right format and persistently saves it back to the profile’s app metadata, so that the static mapping can point to this additional transformed version of my claims when building out the SAML token.

This works, but feels like a poor solution. I have to store duplicate data against the profile that might temporarily be out of sync and is a bit confusing as to what the authoritative source of the claims data is, and I have to perform additional profile update requests on login for data I don’t really care about storing.

Wondering if anyone has come across similar issues or could point me in the direction of any options I might have missed.