I’m using Auth0 as a SAML Idp. I use “Add user roles to tokens” template to create an action to include user’s role in the SAML assertion. I inserted the Action into the Login flow and the roles are in the list of claims in the SAML assertion. However, the namespace isn’t what I expect it to be. Here is the code for the action:
The namespace set in the onExecutePostLogin() handler has periods replaced with semi-colons and is prefixed with http://schema.auth0.com/
I can leave the namespace off in the onExecutePostLogin() handler and the saml:Attribute name will be formed as http://schemas.auth0.com/roles. Is that the correct solution or is there something else that I should do?
By default, mapUnknownClaimsAsIs is false , which adds the prefix you are seeing for any claims that are not mapped to the user’s profile. Can you please try specifying this setting as true in your SAML Addon’s settings?
The NameFormat is the same as others so I don’t think that’s an issue. It isn’t clear if there is another option I can set to fix this. Is there an option I can use to fix this?
I’ve read what you’ve linked to that states that dots will be replaced to semi-colon, but the entry doesn’t explain why that is done. Why are dots replaced with semi-colons?
On top of that it seem to me that any change to the claim would be counter to the option “mapUnknownClaimAsIs = true”
Unfortunately, I have not been able to ascertain why the dots are replaced so far, is there a hard requirement to use a URL as the attribute name in your use case?
No, there is no hard requirement. But, it seems to be standard practice to include a namespace as for attributes and that namespace looks to be typically a URL. However, as I look at other SAML identity providers like ADFS, roles have attributes with the product’s namespace. So I think it would be a better plan for me to use the product’s namespace and configure for it rather than force each product to a namespace of my choosing.