User Metadata not showing up in SAML2 Web App Response

OliJ · January 26, 2024, 1:00am

Hello everyone.

Please pardon our possible ignorance here as we are new to Auth0.

Briefly:

Using Auth0 as a IdP
Utilizing Addon: SAML2 Web App
Incorporating both user_metadata & app_metadata for our Users

Desired outcome:
To have user_metadata populate in the SAML Response

Observations:
app_metadata populates in the SAML Response, but user_metadata does not.

Parameters in this example:
Metadata…

Addon: SAML2 Web App settings

{
 "mappings": {
    "UserMeta": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UserMeta",
    "AppMeta": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/AppMeta",
  },

  "passthroughClaimsWithNoMapping": true,

SAML Response:

      <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/AppMeta" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xs:string">AppMetaText</saml:AttributeValue>

Note, UserMetaText does not populate in the SAML Response

Any suggestions, please.

Thank you in advance.

rueben.tiow · January 27, 2024, 1:17am

Hi @OliJ,

Welcome to the Auth0 Community!

Since the SAML2 Addon mappings object can only work with root-level profile attributes, you will need to map the user_metadata properties to the event.user object using an Action.

Doing this will bubble up the attributes to the root level and allow them to be accessible from the mappings objects in the SAML2 Addon settings for login.

Post-Login Action script:

exports.onExecutePostLogin = async (event, api) => {
   if (event.user.user_metadata && event.user.user_metadata.UserMeta) {
     event.user.UserMeta = event.user.user_metadata.UserMeta;
   }
}

(Reference: How to Map SAML Attributes when Auth0 is the IDP in the SAML2 Addon)

Could you give this a try and let me know how it goes for you?

Thanks,
Rueben

OliJ · January 29, 2024, 5:56pm

Thank you @rueben.tiow.

I appreciate your time here.

Unfortunately, I must be missing something, as it didn’t deliver the User Metadata.

Here are the “settings” we are implementing…

We created a flow with the script you suggested.

exports.onExecutePostLogin = async (event, api) => {
   if (event.user.user_metadata && event.user.user_metadata.UserMeta) {
     event.user.UserMeta = event.user.user_metadata.UserMeta;
   }
}

User Metadata

{
  "UserMeta": "UserMetaText"
}

Mapping settings

"mappings": {
    "UserMeta": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UserMeta"
  },

  "passthroughClaimsWithNoMapping": true,
  "mapUnknownClaimsAsIs": true,

SAML Response doesn’t include “UserMeta”.

I apologize if we’re missing something obvious.

Thank you in advance for your time and help here.

rueben.tiow · February 16, 2024, 7:01pm

Hi @OliJ,

Thanks for your update.

I have checked your settings and everything you have shared with me looks good.

At this point, I’d suggest using the Real-time Webtask Logs Extension to confirm that your Post Login Action script is executing inside the if-conditional statement. You could also use console.log() statements to verify the user_metadata values being read.

Finally, please take a look at this knowledge solution for a complete reference for mapping user_metadata/app_metadata into claims in the SAML response.

Thanks,
Rueben

system · March 1, 2024, 7:01pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.