User profiles are not reflecting the current SAML field mappings

Hello,

I’m using a SAML enterprise connection. I noticed that user profiles for users that have logged in via this connection don’t have the right user names. Instead of the user’s name, the name in the profile is populated with an email address.

The SAML connection has the following field mappings:

{
  "name": "http://schemas.microsoft.com/identity/claims/displayname",
  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
  "groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
}

I’ve looked at the connection’s debug logs, and I see that the http://schemas.microsoft.com/identity/claims/displayname field does have the expected user name. Auth0’s docs say that the profile should be updated automatically whenever a user logs in through the connection, but I’m not seeing the user name getting updated to match.

Any help would be appreciated! Thanks.

Hi @brandonv

Welcome to the Auth0 Community :slight_smile: Great to have you on board.

I will run through an overview of my process implementing your use case, you can check against yours to see if you missed anything. On first glance your mapping prefix URL’s are all different and this is unexpected, usually they will all be consistent but let’s review.

The key thing on this is to take a look at what is in your SAML response. If you do a login against your SAML connection and have the browser dev tools open to see the network calls. There will be a POST against your ACS url configured on your IdP like the below:

As you can see the SAML response is within the payload. If you copy this into https://samltool.io/ you’ll be able to see the attributes in the SAML response clearly.

In my test you can see what my IdP is configured to send, I included an additional full name attribute for illustration purposes.

As you can see my IdP is sending the attributes without any prefixed url’s so I can map this to my Auth0 property as is within the connection:

Et voilà

The attributes have come across as expected:

I hope this helps you. Let us know if you need anything further.
Warm regards.

2 Likes

Hi, thanks for your response!

Unfortunately I’m not able to use the browser console to view the SAML response directly, as these are users outside my organization who are logging in to my application using their own IdP. Instead, I have been using Debug Mode on the connection, and looking at connection logs as described here: Troubleshoot SAML Configurations

  • I enabled debug mode on the SAML connection
  • Found a Success Login log entry
  • Looked at the original_profile property on the log entry
  • Within the original_profile value, I see there is a mapping from "http://schemas.microsoft.com/identity/claims/displayname" to the expected display name

:thinking:

Hi @brandonv

Thanks for your patience on this.

You can absolutely use that method as well to access the attributes instead of the SAML response directly.

If you can check one thing for me, go to your SAML connection in Auth0 (Authentication > Enterprise > SAML > Select the connection)

Scroll down and check the field “Sync user profile attributes at each login” is toggled on and then hit “Save Changes” as below:

It could be that this is switched off.

Warm regards.

Hi @SaqibHussain , thank you for your continued support!

I just checked the connection settings, and I see that Sync user profile attributes at each login is currently enabled on the connection.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.