You can customize your assertions as well as the SAML and WS-Federation protocol parameters.

Auth0 as identity provider

Customize SAML assertions when Auth0 acts as the by configuring the addon in the Dashboard or by using rules.

Use the Dashboard

  1. Go to Dashboard > Applications > Applications and select the name of the application to view.
  2. Select the Addons tab.
  3. Enable SAML2 Web App toggle to view settings and options.
    Dashboard Applications Applications Addons Tab SAML2 Web App Settings Tab
  4. In the Settings tab, you can make several types of customizations, such as:
    • Specify an audience other than the default issuer of the SAML request.
    • Specify a recipient.
    • Map profile attributes to specific attribute statements.
    • Change the signature or digest algorithm.
    • Specify whether just the assertion or the entire response should be signed.

Use Actions

You can use Actions to add more extensive or dynamic customizations to the SAML response. Customizations made in Actions override customizations done using the Application Addons view in the Dashboard. The api.samlResponse object is used to override default SAML attributes or add new attributes.

Example: Changing the SAML token lifetime and use UPN as NameID

exports.onExecutePostLogin = async (event, api) => {
	api.samlResponse.setLifetimeInSeconds(36000);
	if (event.user.upn) {
		api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier', 'upn');
	}
};

Example: Include user_metadata attributes in an assertion

exports.onExecutePostLogin = (event, api) => {
	event.user.user_metadata = event.user.user_metadata || {};
	event.user.user_metadata.color = 'purple';
	api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/color', event.user.user_metadata.color);
};

SAML assertion attributes

The following is a list of customization attributes for SAML assertions.
AttributeTypeDescription
audiencestringAudience of the SAML assertion. Default is issuer on SAMLRequest.
recipientstringRecipient of the SAML assertion (SubjectConfirmationData). Default is AssertionConsumerUrl on SAMLRequest or callback URL if no SAMLRequest was sent.
issuerstringUnique identifier of the SAML identity provider, formatted as a URL.
mappingsobjectMappings between Auth0 profile and the output attributes on the SAML assertion. Default mapping is shown above.
createUpnClaimbooleanWhether or not a UPN claim should be created. Default is true.
passthroughClaimsWithNoMappingbooleanIf true (default), for each claim that is not mapped to the common profile, Auth0 passes through those in the output assertion. If false, those claims won’t be mapped.
mapUnknownClaimsAsIsbooleanIf passthroughClaimsWithNoMapping is true and this is false (default), for each claim not mapped to the common profile Auth0 adds a prefix http://schema.auth0.com. If true it will pass through the claim as-is.
mapIdentitiesbooleanIf true (default), it adds more information in the token such as the provider (Google, ADFS, AD, etc.) and the access token, if available.
signatureAlgorithmstringSignature algorithm to sign the SAML assertion or response. Default is rsa-sha1.
digestAlgorithmstringDigest algorithm to calculate digest of the SAML assertion or response. Default is sha1.
destinationobjectDestination of the SAML response. If not specified, it will be AssertionConsumerUrl of SAMLRequest or callback URL if there was no SAMLRequest.
lifetimeInSecondsintegerExpiration of the token. Default is 3600 seconds (1 hour).
signResponsebooleanWhether or not the SAML response should be signed. By default the SAML assertion will be signed, but not the SAML response. If true, SAML Response will be signed instead of SAML assertion.
nameIdentifierFormatstringDefault is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
nameIdentifierProbesarrayAuth0 will try each of the attributes of this array in order. If one of them has a value, it will use that for the Subject/NameID. The order is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (mapped from user_id), http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (mapped from email), http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (mapped from name).
authnContextClassRefstringDefault is urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.
typedAttributesbooleanDefault is true. When set to true, we infer the xs:type of the element. Types are xs:string, xs:boolean, xs:double and xs:anyType. When set to false all xs:type are xs:anyType.
includeAttributeNameFormatbooleanDefault is true. When set to true, we infer the NameFormat based on the attribute name. NameFormat values are urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:basic and urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. If set to false, the attribute NameFormat is not set in the assertion.
logoutobjectControls SAML logout. It can contain two properties:callback (string) that contains the service provider (client application) Single Logout Service URL, where Auth0 will send logout requests and responses, and slo_enabled(boolean) that controls whether Auth0 should notify service providers of session termination. The default value istrue (notify service providers).
bindingstringOptionally indicates the protocol binding used for SAML logout responses. By default Auth0 uses HTTP-POST, but you can switch to HTTP-Redirect by setting “binding” to “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.
signingCertstringOptionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be “-----BEGIN CERTIFICATE-----\nMIIC8jCCAdqgAwIBAgIJObB6jmhG0QIEMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV\n[..all the other lines..]-----END CERTIFICATE-----\n”.

Learn more