Unexpected namespace adding user roles to tokens

terry2 · July 2, 2021, 3:06pm

I’m using Auth0 as a SAML Idp. I use “Add user roles to tokens” template to create an action to include user’s role in the SAML assertion. I inserted the Action into the Login flow and the roles are in the list of claims in the SAML assertion. However, the namespace isn’t what I expect it to be. Here is the code for the action:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://alpha.anywhere.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

and here is what the claim looks like:

<saml:Attribute Name="http://schemas.auth0.com/https://alpha;anywhere;com/roles"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">DoWhateverYouWant</saml:AttributeValue>
            </saml:Attribute>

The namespace set in the onExecutePostLogin() handler has periods replaced with semi-colons and is prefixed with http://schema.auth0.com/

I can leave the namespace off in the onExecutePostLogin() handler and the saml:Attribute name will be formed as http://schemas.auth0.com/roles. Is that the correct solution or is there something else that I should do?

sgo · July 6, 2021, 12:31pm

Hi @terry2 , welcome to the community!

I believe this is due to how the SAML Addon creates the SAML Assertion by default, there are a series of options available documented here:

Customize SAML Assertions

By default, mapUnknownClaimsAsIs is false , which adds the prefix you are seeing for any claims that are not mapped to the user’s profile. Can you please try specifying this setting as true in your SAML Addon’s settings?

konrad.sopala · July 6, 2021, 3:58pm

Thanks for helping on this one Steve!

terry2 · July 6, 2021, 7:18pm

That did fix the prepending, but the periods in my namespace are still being replaced with semi-colons.

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">terry@xxxx.com</saml:AttributeValue>
            </saml:Attribute>
<saml:Attribute Name="last_password_reset"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">2021-04-27T16:51:32.829Z</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="https://alpha;anywhere;com/roles"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">DoWhateverYouWant</saml:AttributeValue>
            </saml:Attribute>

The NameFormat is the same as others so I don’t think that’s an issue. It isn’t clear if there is another option I can set to fix this. Is there an option I can use to fix this?

Thanks.

sgo · July 8, 2021, 4:59pm

Hi @terry2 ,

I’ve found out that any unmapped claims that have dots in the identifier will be replaced with semicolons as mentioned in point C here:

Troubleshoot SAML Configurations

I am not aware of a way to stop this other than mapping the claim to part of the Auth0 profile:

User Profile Structure

terry2 · July 8, 2021, 10:17pm

I’ve read what you’ve linked to that states that dots will be replaced to semi-colon, but the entry doesn’t explain why that is done. Why are dots replaced with semi-colons?

On top of that it seem to me that any change to the claim would be counter to the option “mapUnknownClaimAsIs = true”

sgo · July 12, 2021, 2:56pm

Unfortunately, I have not been able to ascertain why the dots are replaced so far, is there a hard requirement to use a URL as the attribute name in your use case?

terry2 · July 12, 2021, 5:33pm

No, there is no hard requirement. But, it seems to be standard practice to include a namespace as for attributes and that namespace looks to be typically a URL. However, as I look at other SAML identity providers like ADFS, roles have attributes with the product’s namespace. So I think it would be a better plan for me to use the product’s namespace and configure for it rather than force each product to a namespace of my choosing.

In other words I should use the auth0 namespace http://schema.auth0.com/ and have configuration in my product for the attribute name “http://schema.auth0.com/roles”. In the case of ADFS the attribute name is “http://schemas.microsoft.com/ws/2008/06/identity/claims/role”.

Thanks for you help. I consider this issue closed.

konrad.sopala · July 13, 2021, 10:16am

No worries! We’re here for you! Marking your last message as a solution to this thread.

system · July 28, 2021, 10:16am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.