Customize SAML Assertions
You can customize your SAML assertions, as well as the SAML and WS-Fed protocol parameters.
Auth0 as the Identity Provider
To customize your SAML assertions when Auth0 acts as the identity provider, you can do so by configuring the addon itself or using rules.
Use the Application Addon
To customize your SAML assertion using the application add-on, navigate to Applications > Settings > Addons. Click on SAML2 Web App to launch the Settings tab that allows you to make several types of customizations including:
- Specifying an audience other than the default issuer of the SAML request;
- Specifying a recipient;
- Mapping profile attributes to specific attribute statements;
- Changing the signature or digest algorithm;
- Specifying whether just the assertion or the entire response should be signed.
You can use rules to add more extensive or dynamic customizations to the SAML response.
Customizations done in Rules override customizations done using the Application Addons tab.
Example: Changing the SAML Token Lifetime and Using UPN as NameID
user_metadata Attributes in an Assertion
The following is a list of customization options for your SAML assertions.
audience (string): The audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
recipient (string): The recipient of the SAML Assertion (SubjectConfirmationData). Default is
AssertionConsumerUrlon SAMLRequest or Callback URL if no SAMLRequest was sent.
mappings (Object): The mappings between Auth0 profile and the output attributes on the SAML Assertion. Default mapping is shown above.
createUpnClaim (bool): Whether or not a UPN claim should be created. Default is true.
passthroughClaimsWithNoMapping (bool): If true (default), for each claim that is not mapped to the common profile, Auth0 will passthrough those in the output assertion. If false, those claims won't be mapped. Default is true.
mapUnknownClaimsAsIs (bool): if
passthroughClaimsWithNoMappingis true and this is false (default), for each claim that is not mapped to the common profile Auth0 will add a prefix
http://schema.auth0.com. If true it will passthrough the claim as-is. Default is false.
mapIdentities: If true, it will will add more information in the token like the provider used (google, adfs, ad, and so on) and the Access Token if available. Default is true.
signatureAlgorithm: Signature algorithm to sign the SAML Assertion or response. Default is
rsa-sha1and it could be
digestAlgorithm: Digest algorithm to calculate digest of the SAML Assertion or response. Default is
sha1and it could be
destination: Destination of the SAML Response. If not specified, it will be
AssertionConsumerUrlof SAMLRequest or Callback URL if there was no SAMLRequest.
lifetimeInSeconds (int): Expiration of the token. Default is 3600 seconds (1 hour).
signResponse (bool): Whether or not the SAML Response should be signed. By default the SAML Assertion will be signed, but not the SAML Response. If true, SAML Response will be signed instead of SAML Assertion.
nameIdentifierFormat (string): Default is
nameIdentifierProbes (Array): Auth0 will try each of the attributes of this array in order. If one of them has a value, it will use that for the Subject/NameID. The order is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (mapped from user_id), http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (mapped from email), http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (mapped from name).
authnContextClassRef: Default is
typedAttributes: Default is true. When set to true, we infer the xs:type of the element. Types are
xs:anyType. When set to false all
includeAttributeNameFormat: Default is true. When set to
true, we infer the NameFormat based on the attribute name. NameFormat values are
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. If set to
false, the attribute NameFormat is not set in the assertion