User metadata attributes not passing via SAML

I am trying to pass some custom attributes in the SAML2 Web App, it seems that app metadata it is working, but not user metadata.

Consider the following configuration object:
“mapUnknownClaimsAsIs”: true,
“mappings”: {
“foo”: “bar”
“nameIdentifierProbes”: [

In “foo” is an app attribute, the following will show on in the decoded saml response when testing:
<saml:Attribute Name=“bar” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>some value</saml:AttributeValue>

BUT, if “foo” is a user attribute, it doesn’t show up on the response at all.

Is this a bug or am I missing something?

Hi @supportal-ops,

Welcome to the Auth0 Community Forum!

I found a support ticket that looks linked to this question while searching for an answer. I am going to reiterate the answer here for the visibility of future users.

When defining mappings in the SAML2 Web App, variables from the user profile are expected. For example, “name”: “”. Since “foo” is not part of the user profile, this would have to be mapped a little differently.

The best option for mapping user_metadata and app_metadata would be to do this within a rule, which offers greater flexibility. It’s important to note that the format is a little different when using a rule versus using the SAML2 Web App; instead of including the Auth0 profile attribute on the left and the SAML attribute on the right as with the web app addon, these will be reversed within a rule. For example, you could map “‘bar’: ‘’”.

These pages have additional information on using rules for mapping SAML attributes:

Hope this helps!


So I added this rule:

function (user, context, callback) {
if (context.clientID === 'hbb8NMNbgY5voZ4AaOYtsRgLIiO7gqab') {
context.samlConfiguration.mappings = {
"email": "",
"first_name": "user.user_metadata.first_name",
"last_name": "user.user_metadata.last_name"
context.samlConfiguration.mapIdentities = false;
context.samlConfiguration.mapUnknownClaimsAsIs = true;
callback(null, user, context);

I can see this working in the debug rule screen, but when trying to actually login to the app, nothing has changed and these attribute don’t show up in the SAML response in the chrome extension.

Can you take a look at this topic thread and see if it is helpful?

I think you either need to prepend your attributes with the URL like in this example:

Or you need to use the "mapUnknownClaimsAsIs": true flag.

Let me know.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.