In “foo” is an app attribute, the following will show on in the decoded saml response when testing:
<saml:Attribute Name=“bar” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>some value</saml:AttributeValue>
</saml:Attribute>
BUT, if “foo” is a user attribute, it doesn’t show up on the response at all.
I found a support ticket that looks linked to this question while searching for an answer. I am going to reiterate the answer here for the visibility of future users.
When defining mappings in the SAML2 Web App, variables from the user profile are expected. For example, “name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/given_name”. Since “foo” is not part of the user profile, this would have to be mapped a little differently.
The best option for mapping user_metadata and app_metadata would be to do this within a rule, which offers greater flexibility. It’s important to note that the format is a little different when using a rule versus using the SAML2 Web App; instead of including the Auth0 profile attribute on the left and the SAML attribute on the right as with the web app addon, these will be reversed within a rule. For example, you could map “‘bar’: ‘user.app_metadata.foo’”.
These pages have additional information on using rules for mapping SAML attributes:
I can see this working in the debug rule screen, but when trying to actually login to the app, nothing has changed and these attribute don’t show up in the SAML response in the chrome extension.