I wanted to play with SAML Authentication in Splunk and decided to use Auth0 is my SAML Identity Provider (IdP).
Since i’ve never worked with Auth0 I just followed the SAML SSO with Auth0 as Service Provider and as an Identity Provider tutorial,, which worked well, but when I tried to use Splunk as Service Provider(SP), i.e. SAML service consumer, I noticed that roles are not returned by Auth0 SAML assertion, so I had to find a way to return user roles in Auth0 together with other user’s information.

Of course the  prerequisite of returning roles assigned to the user is to have them defined, so configure a few Roles under the User & Roles section on the left and assign 1 or more rule to a user.

I’ve created bu1_p and bu2_p (as for Business Unit 1/2 – Power User).

Next you will need to configure a Rule.

“Rules are JavaScript functions that execute when a user authenticates to your application. They run once the authentication process is complete, and you can use them to customize and extend Auth0’s capabilities.”

So from different sources I’ve stitched up a simple rule that adds roles assigned to a user and adds them to the user context.

Go to Rules and create a new Rule using empty rule template

Update the function to look like this:

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.rolez = assignedRoles;
  callback(null, user, context);
}

Save it.

If you want to test it by clicking “TRY THIS RULE” button, but don”t forget to update the context to include the  authorization with the roles (last couple of lines in the snippet below)

{
  "clientID":            "123456789",
  "clientName":          "MyWebApp",
  "connection":          "MyDbConn",
  "connectionStrategy":  "auth0",
  "protocol":            "oidc-basic-profile",
  "request": {
    "query":             { "scope": "openid" },
    "body":              {},
    "userAgent":         "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36",
    "ip":                "X.X.X.X",
    "geoip":             { "country_code":"AR", "country_code3":"ARG", "country_name":"Argentina", "region":"08", "city":"Federal", "postal_code":"3180", "latitude":-30.954599380493164, "longitude":-58.78329849243164, "continent_code":"SA", "time_zone":"America/Argentina/Buenos_Aires" }  },
  "samlConfiguration":   {},
  "stats":               { "loginsCount": 5 },
  "accessToken":         {},
  "idToken":             {},
  "authorization": {
    "roles" : "role1, role2"
  }
}

That’s it, now the authorization will return user roles in Auth0 as “rolez” attribute