Trouble Configuring SAML Mappings

mattln · September 25, 2020, 2:02pm

I am attempting to connect SAML to my application using Okta as the IDP, and Auth0 as the SP. I have gotten the base connection setup up correct, but I am having trouble getting the SAML Mappings to apply to the user’s profile.

I have setup the example mappings in the ‘Mappings’ tab of the enterprise SAML connection as follows:

{
  "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  "email": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "groups": "http://schemas.xmlsoap.org/claims/Group",
  "user_id": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "nickname": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "given_name": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}

but when I test the app, none of these are applied to the user profile, nor is the user address added to the user’s profile?:

{
  "sub": "samlp|ln-dev-okta|me@mydomain.com",
  "nickname": "",
  "name": "",
  "picture": "https://cdn.auth0.com/avatars/default.png",
  "updated_at": "2020-09-25T14:00:05.533Z"
}

Ideally I’d like to have the email set to the User’s profile in Auth0, but right now since its not getting set, a new user is created without an email address. Also, is there any way I can intercept the actual SAML response coming into Auth0 so I can inspect the attributes and make sure they’re present?

What am I missing here?

jmangelo · September 25, 2020, 2:18pm

See this (Troubleshoot SAML Configurations) as it may be relevant. If the SAML assertion is not being returned encrypted by Okta you could always use browser network tools to get it and decode it manually.

However, there’s also a debug option in the SAML connection settings that should surface additional information in tenant logs.

mattln · September 25, 2020, 2:46pm

Thanks for the quick response. Thanks for the pointer on debug mode, I was able to reconfigure the attributes I was sending from Okta, and now they’re getting picked up in the user profile.

Which leads me to a question about SAML & Account Linking. Say I have a User with an identity tied to user@example.com, and then a SAML assertion comes in with the same email address.

I can see currently that a second user is created with the same email address…is it possible to setup account linking for SAML provisioned users?

jmangelo · September 25, 2020, 3:26pm

The account linking functionality is available for all types of users (independent of the connection type they originate from). However, we currently no longer recommend automatic account linking techniques and give preference to flows where the user is involved in the linking process (User Account Linking)

Topic		Replies	Views
User profiles are not reflecting the current SAML field mappings Help connections , saml-enterprise-connection	5	1486	June 5, 2023
SAML: Help on setting up custom attrs in response to service Help connections , saml-enterprise-connection	0	1121	November 8, 2022
Adding roles to SAML response Help saml	2	3359	March 24, 2023
SAML Setup for OKTA as IdP and Auth0 as SP Knowledge Articles saml , auth0 , okta , idp , service-provider	1	4357	September 22, 2022
Map SAML attributes to user_metadata attributes Knowledge Articles app_metadata , user_metadata , samlp , saml-enterprise-connections , mapping	1	2314	May 9, 2023

Trouble Configuring SAML Mappings

Related Topics