Overview
This article explains why the user_id attribute in an Auth0 user profile is populated with the user’s email address when using an enterprise Security Assertion Markup Language (SAML) connection where Okta is the Identity Provider (IdP).
Applies To
- Auth0
- Okta
- Security Assertion Markup Language (SAML)
- Enterprise Connection
- User_id
Cause
The user_id in Auth0 is populated with the user’s email address because the SAML connection mapping is configured to use the nameidentifier attribute from the Okta IdP for the user_id . In this configuration, Okta sends the user’s email address as the value for the nameidentifier attribute, which Auth0 then uses to populate the user_id field in the user profile.
Currently, the Auth0 user_id value for this connection type is a concatenation of “samplp” + connection_name + nameidentifier.
Solution
The default mapping configuration in Auth0 for a SAML connection prioritizes several attributes for the user_id. The following mapping shows that http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier is the primary attribute used, which causes this behavior if it contains the email address.
{
"user_id": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"email": "Email",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.xmlsoap.org/claims/Group"
}
The mapping can be updated. By changing the order of attributes in the user_id claim, or by adding other attributes, it is possible to control how the user’s user_id will be populated in the Auth0 user profile for a user authenticating via SAML connection with Okta (where Okta is the IdP).