Map SAML Attributes with Auth0 as IdP/SAML Add-on
When Auth0 is the IdP, you can map user attributes through Auth0's SAML2 add-on. Errors could occur if attributes are misconfigured. For example, a user enters username and password successfully, but fails to sign in to the application even though logs in the Auth0 Dashboard show successful login events. Or, your application is missing user information such as name or email.
Use cases
The user profile below is the example for the following scenarios.
//SAMPLE IdP User Profile
{
"created_at": "2021-06-21T13:26:08.579Z",
"email": "testuser@example.com",
...
"fav_genre": "fiction",
"user_metadata": {
"fav_streaming_service": "hulu"
}
...
}
Was this helpful?
No mappings object
When using the SAML2 add-on, an empty mappings object generates by default.
In this example, fav_genre
and user_metadata.fav_streaming_service
are undefined but can be customized and mapped to the SAML Response populated by Auth0.
In the example below, "fav_genre": "fiction"
gets mapped to the http://schemas.auth0.com/fav_genre attribute in the SAML Response with the fiction
value while"user_metadata": {"fav_streaming_service": "hulu"}
does not appear in the SAML response at all.
Resulting SAML Response that the IdP sends:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e30cb5f29249a82846eb" InResponseTo="_e33996d83f953ce46225185b3a1c0ad8" Version="2.0" IssueInstant="2021-11-03T21:34:42.493Z" Destination="https://example-dev-tenant.us.auth0.com/login/callback">
...
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="http://schemas.auth0.com/fav_genre" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">
fiction
</saml:AttributeValue>
</saml:Attribute>
...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Was this helpful?
Standard mappings example
In the earlier example, not customizing the mappings object resulted in a http://schemas.auth0.com/fav_genre attribute in the SAML Response with the "fiction"
value.
Next, map the attributes in the Mappings Object of the SAML2 add-on settings to account for that.
After doing so, notice how the "fiction"
value is the same in the SAML Response, but the attribute name in the SAML Response has been changed from the default http://schemas.auth0.com/fav_fiction to http://schemas.auth0.com/books.
Configuring the SAML2 add-on mappings object:
"mappings": {
"fav_genre": "http://schemas.auth0.com/books"
}
Was this helpful?
This mapping results in the following response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e30cb5f29249a82846eb" InResponseTo="_e33996d83f953ce46225185b3a1c0ad8" Version="2.0" IssueInstant="2021-11-03T21:34:42.493Z" Destination="https://example-dev-tenant.us.auth0.com/login/callback">
...
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="http://schemas.auth0.com/books" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">
fiction
</saml:AttributeValue>
</saml:Attribute>
...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Was this helpful?
Mapping the same value to multiple attributes
There may be scenarios where mapping the SAML Response to multiple attributes with the same value is required.
In this case, there is the option to map the same value from the user profile to multiple attributes in the SAML Response.
How to configure the SAML2 add-on mappings object:
"mappings": {
"fav_genre": [
"http://schemas.auth0.com/movies",
"http://schemas.auth0.com/books",
"http://schemas.auth0.com/television"
]
}
Was this helpful?
This mapping results in the following response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e30cb5f29249a82846eb" InResponseTo="_e33996d83f953ce46225185b3a1c0ad8" Version="2.0" IssueInstant="2021-11-03T21:34:42.493Z" Destination="https://example-dev-tenant.us.auth0.com/login/callback">
...
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="http://schemas.auth0.com/movies" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">
fiction
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/books" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">
fiction
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/television" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">
fiction
</saml:AttributeValue>
</saml:Attribute>
...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Was this helpful?