Where to normalize email in SSO SAML Enterprise Connections?

  • We have SAML Enterprise connections into the application.
  • This SAML IDP uses CamelCase identifiers before the @
  • Auth0 normalizes all emails coming close to the username-password database to lowercase, as does our app when creating permissions
  • Auth0 maps the CamelCase@domain to email, and doesn’t normalize to lowercase
  • We would like to normalize where Auth0 won’t and use a management action to update that user, but updating the email address on users from SAML connections is 400 forbidden
  • CamelCase@domain doesn’t match camelcase@domain, permissions fail, and they are signed out

At this point it looks like we need to add a whole additional layer of normalization to the entire app to handle this edge case… OR move to a secondary and worse field in the JWT like usermetadata.email_normalized everywhere we check (a reliable source of bugs)

Is there no way to just keep the email field normalized with SAML users?
If the enterprise connection upserts the Auth0 user at login, they won’t normalize, and the email is unchangable, is this just a bug Auth0 expects every SSO integration to run into eventually?

The solution was to, in a post-login action, use js to normalize the token as it’s being created.

exports.onExecutePostLogin = async (event, api) => {

  const extras = {
    email: event.user.email?.toLowerCase()
   // other custom attributes
  }

  // Set the custom claims.
  for (const [key, value] of Object.entries(extras)) {
    api.idToken.setCustomClaim(key, value);
    api.accessToken.setCustomClaim(key, value);
  }  
};