Unlocking more customization in Actions with three new capabilities

Hello developer community! We are excited to bring - SAML Mapping and Configuration, Access Token Scopes, and Root-Level User Attribute to Auth0 Actions starting today, depends on your tenant environments

Starting today, you can now use more advanced features in Auth0 Actions. SAML Mapping and Configuration, access Root-Level User Attributes, and alter Access Token Scope. These new functions bring unique benefits to developers in Actions.

We have heard the values in Rule’s offerings from these features and understand missing these features can be a critical blocker for you to migrate from Rules to Actions. That’s why we are shipping these capabilities in Actions today so you can unlock deep customization in Actions today just like Rules. We also brought in advanced security measurement and practice while shipping these features in Actions.

SAML Mapping and Configuration

SAML (Security Assertion Markup Language) is widely used for exchanging authentication and authorization data between identity providers and service providers. We are bringing SAML mapping and configuration to Actions today to facilitate seamless integration with SAML-based identity providers and enable efficient handling of user data.

Developers can effectively use SAML mapping to map user attributes and claims from SAML assertion assertions to user profiles with Actions when creating and customizing the login and user registration flow. SAML mapping in Actions simplifies the management of user attributes, ensuring smooth data flow and synchronization between different identity providers and their applications. It enables the creation of personalized and context-aware experiences so that your identity pipeline can help you know and protect your customer better

Access Token Scope

Access tokens are used in token-based authentication to allow an application to access an API. Developers can effectively freely add or remove claims scopes with newly created custom API with security enhancement.

Root-Level User Attributes

Auth0’s normalized user profile consists of both well-known root attributes, as well as profile attributes that originate from identity providers (IdPs) other than Auth0 (such as Google, Facebook, Twitter). Actions now expose a more comprehensive set of these attributes–including those that originate from IdPs–to further enable developers to create and customize their identity solutions. Developers can start using standard properties such as user.roles, user.groups, user.permissions to understand more customer profiles and help protect user interests,

You can read more about these capabilities in this blog and start using these features following our docs update.

How can you get additional assistance?

Your feedback is crucial to us. At Auth0, we build Actions to provide the best developer experience. Having challenges in using these features? Requesting new capabilities in Actions? Finding roadblocks in migrating to Actions or just feeling exicted about Actions? Please feel free to drop your thoughs below in the comments!


I’ve read the blog post and looked through the docs, and I’m still not sure what the specific changes are, and, more specifically, how to use them in an action. A further blog post that includes examples would be helpful.

For further context, I was hoping this release would offer a fix for the following scenario:
I have created an enterprise OIDC SSO connection that enables a non-Auth0 IdP to connect with my SP. The IdP sends a custom claim within their token (let’s say that claim is “testing123”). I would like to have access to this claim in my postLogin action without calling the ManagementAPI. Maybe these new features don’t do that, but I can’t tell.

Hello, Thank you for the updates but in the blog it’s not clear how to use standard properties such as user.roles , user.groups , and user.permissions in auth0 actions.
I’d appreciate an example for how to get these properties.

Hi @amymb,

Thanks for posting your question.

The specific changes include being able to make these calls:

SAML Mapping and Configuration

  • api.samlResponse.setAttribute(attribute, value)
  • api.samlResponse.setAudience(audience)
  • api.samlResponse.setRecipient(recipient)
  • api.samlResponse.setCreateUpnClaim(createUpnClaim)
  • api.samlResponse.setPassthroughClaimsWithNoMapping(passthroughClaimsWithNoMapping)
  • api.samlResponse.setMapUnknownClaimsAsIs(mapUnknownClaimsAsIs)
  • api.samlResponse.setMapIdentities(mapIdentities)
  • api.samlResponse.setDestination(destination)
  • api.samlResponse.setLifetimeInSeconds(lifetimeInSeconds)
  • api.samlResponse.setSignResponse(signResponse)
  • api.samlResponse.setNameIdentifierFormat(nameIdentifierFormat)
  • api.samlResponse.setNameIdentifierProbes(nameIdentifierProbes)
  • api.samlResponse.setAuthnContextClassRef(authnContextClassRef)
  • api.samlResponse.setSigningCert(signingCert)
  • api.samlResponse.setIncludeAttributeNameFormat(includeAttributeNameFormat)
  • api.samlResponse.setTypedAttributes(typedAttributes)
  • api.samlResponse.setEncryptionCert(encryptionCert)
  • api.samlResponse.setCert(cert)
  • api.samlResponse.setKey(key)

Access Token Scope

  • api.accessToken.addScope(scope)
  • api.accessToken.removeScope(scope)

Root-Level User Attributes

  • event.user.roles
  • event.user.groups
  • event.user.permissions



Hey @rueben.tiow. I’m attempting to access user.groups in an Action but it seems to be undefined still. Do you have an idea of when we will be able to access the new user properties?

Currently we are using a Rule first to get the groups and put it in user_metadata and then in the Action we are able to actually add it as a custom claim on the ID token. But would be really nice to not have to use the Rule anymore and access it directly in the Action.

Hi is there an update to this question? I would also be interested in accessing event.user.roles, however for me its also still undefined?

Hi @chris_b and @sacummings,

The event.user.groups and event.user.roles should be accessible in Actions when authenticating using Enterprise Connections.


Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!

This is not true.
event.user.groups or event.user.roles are still undefined.

Why would you tell people to migrate to Actions when Actions doesn’t have all the features that Rules has?

1 Like