Trouble Configuring SAML Mappings

I am attempting to connect SAML to my application using Okta as the IDP, and Auth0 as the SP. I have gotten the base connection setup up correct, but I am having trouble getting the SAML Mappings to apply to the user’s profile.

I have setup the example mappings in the ‘Mappings’ tab of the enterprise SAML connection as follows:

{
  "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  "email": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "groups": "http://schemas.xmlsoap.org/claims/Group",
  "user_id": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "nickname": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "given_name": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}

but when I test the app, none of these are applied to the user profile, nor is the user address added to the user’s profile?:

{
  "sub": "samlp|ln-dev-okta|me@mydomain.com",
  "nickname": "",
  "name": "",
  "picture": "https://cdn.auth0.com/avatars/default.png",
  "updated_at": "2020-09-25T14:00:05.533Z"
}

Ideally I’d like to have the email set to the User’s profile in Auth0, but right now since its not getting set, a new user is created without an email address. Also, is there any way I can intercept the actual SAML response coming into Auth0 so I can inspect the attributes and make sure they’re present?

What am I missing here?

See this (Troubleshoot SAML Configurations) as it may be relevant. If the SAML assertion is not being returned encrypted by Okta you could always use browser network tools to get it and decode it manually.

However, there’s also a debug option in the SAML connection settings that should surface additional information in tenant logs.

Thanks for the quick response. Thanks for the pointer on debug mode, I was able to reconfigure the attributes I was sending from Okta, and now they’re getting picked up in the user profile.

Which leads me to a question about SAML & Account Linking. Say I have a User with an identity tied to user@example.com, and then a SAML assertion comes in with the same email address.

I can see currently that a second user is created with the same email address…is it possible to setup account linking for SAML provisioned users?

The account linking functionality is available for all types of users (independent of the connection type they originate from). However, we currently no longer recommend automatic account linking techniques and give preference to flows where the user is involved in the linking process (User Account Linking)