Okta SAML Docs Missing Attribute

[tomcatling-faculty]

Okta SAML Walkthrough Missing Email Attribute

Description

While following the Okta/FusionAuth SAML guide here, the login was failing due to the SAML response missing an email attribute.

Adding the following line to the default SAML reconcile Lambda (and enabling that lambda for the integration, which is also not explicitly mentioned) fixed the issue for me:

user.email = defaultIfNull(samlResponse, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email', 'email');

[mooreds]

Thanks @tomcatling-faculty for filing this issue! And I'm glad you got your integration sorted out and working.

I scanned the FusionAuth documentation you linked and noted that it has information about configuring the email to be sent by Okta and received by FusionAuth without using a lambda:

You can also instruct Okta to send over another attribute in the AuthN Response of email. Under the Name field enter email, for Name format leave as Unspecified, and finally for Value enter user.email.

You can tell FusionAuth how to find and use this persistent userId by modifying your newly created SAML IdP Initiated Provider in FusionAuth under the Options tab. Here you will add the value userId to the Unique Id claim field. Additionally, on the same tab, you can instruct FusionAuth where to find the email claim by filling in the Email claim with the value email. Depending on your Okta configuration, you can optionally indicate Use NameID for email instead.

Did those instructions not work for you?

A lambda is a great way of getting information from SAML responses, but is a bit more complex than the configuration above, so I'd rather not change the documentation unless it didn't work.

[mooreds]

@tomcatling-faculty any feedback on this?

[andrewpai]

Closing this issue. Please re-open if you think there is an unaddressed issue here @tomcatling-faculty.