User Attribute Profile

The User Attribute Profile (UAP) provides a consistent way to define, manage, and map user attributes across protocols such as SCIM, SAML, and OIDC. UAP with Self-Service SSO gives administrators greater control over user identity data by defining user attributes and applying the profile across authentication protocols.

How it works

  • Profile Definition

    An administrator creates a User Attribute Profile to define attributes, including:

    • How to display attributes

    • How to make attributes required

    • How attributes map to Auth0 and external identity systems

  • Flexible Scope

    Profiles are linked to Self-Service SSO flows but are designed for provisioning, onboarding, and entitlement management.

  • Unified Mapping Layer

    Each attribute supports mappings across authentication protocols with the option to override values for specific providers or connection strategies, such as Okta and Entra ID.

Attribute mapping and override

UAP supports multi-protocol attribute definitions and strategy overrides for provider-specific needs.

Attribute mapping

Protocol Description
Auth0 Mapping Canonical attribute stored in Auth0 (email, name, app_metadata.department).
OIDC Mapping Standard OIDC claims (sub, preferred_username, zoneinfo). To learn more about OIDC standard claims, read Standard Claims.
SAML Mapping Supports one or more assertion URIs (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
SCIM Mapping Provisioning attributes (name.familyName, addresses[type eq "work"].country).

Strategy overrides

Protocol Description
SAML Map userName instead of externalId.
WAAD (Entra ID) Use oid as the OIDC identifier.
Okta Map attributes such as middleName or federated_groups using Okta-specific claims.

User ID

The user_id property defines how to map OIDC claims, SAML attributes, or SCIM attributes to the Auth0 user ID. Every Auth0 user must have an ID, so this mapping is required.

  • For OIDC, the choices are rigid (typically sub, or oid for Azure AD, or email for Google).

  • For SAML and SCIM, the mapping is more flexible and can point to multiple possible attributes.

User attributes

The user_attributes property contains mapping information allows the system to interpret incoming claims from the IdP and store them as Auth0 user profile attributes.

Each attribute must be provided as a key/value pair:

  • The key corresponds to the attribute name.

  • The value is an object with:

    • label

    • description

    • profile_required

    • auth0_mapping

    • saml_mapping

    • scim_mapping

    • oidc_mapping an object with properties

      • mapping represents the incoming claim from the IdP (literal value, dynamic context object, or both using ${variable} syntax supporting the context object).

      • display_name the label shown to end users in self-service flows.

Strategy Overrides

The strategy_overrides property allows you to specify exceptions for individual identity providers (IdPs), since not all IdPs expose the same identifiers or claims.

Each override defines protocol-specific mappings that replace the defaults defined in user_id or user_attributes.

Examples

User identifier

"user_id": {
  "oidc_mapping": "sub",
  "saml_mapping": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "scim_mapping": "externalId",
  "strategy_overrides": {
    "waad": {
      "oidc_mapping": "oid"
    },
    "samlp": {
      "scim_mapping": "userName"
    },
    "google-apps": {
      "oidc_mapping": "email"
    }
  }
},

Was this helpful?

/

  • Default identifier: externalId via SCIM.

  • SAML: Multiple identifier URIs supported.

  • OIDC: Uses sub.

  • Overrides: SAML and WAAD customize mappings.

Email attribute

"email": {
  "description": "Email",
  "label": "Email",
  "profile_required": true,
  "auth0_mapping": "email",
  "scim_mapping": "emails[primary eq true].value",
  "oidc_mapping": {
    "mapping": "${context.tokenset.email}",
    "display_name": "email"
  },
  "saml_mapping": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "strategy_overrides": {
    "waad": {
      "scim_mapping": "emails[type eq \"work\"].value"
    }
  }
}

Was this helpful?

/

  • Suggested for most profiles.

  • Unified across Auth0, OIDC, SAML and SCIM.

  • WAAD override ensures correct mapping to work emails.

Create a User Attribute Profile

  1. Navigate to Authentication > Enterprise > Self-Service SSO.

  2. Select Create Profile.

  3. Provide a Name and optional Description for the new profile.

  4. Add a User Attribute Profile entry by either selecting an existing profile or choosing +Create New.

    1. For a new profile, provide a User Profile Attribute Name.

    2. Review mappings to ensure the profile attribute are mapping to your preferred Auth0 attributes.

  5. Choose Create.

Your new UAP is available to configure for SSO.

References 

APIs

To manage User Attribute Profiles, the following Management API endpoints are available:

  • POST /api/v2/user-attribute-profiles

  • GET /api/v2/user-attribute-profiles

  • PATCH /api/v2/user-attribute-profiles/{id}

  • GET /api/v2/user-attribute-profiles/{id}

  • GET /api/v2/user-attribute-profiles/templates

  • GET /api/v2/user-attribute-profiles/templates/{id}