Versions Compared

Version Old Version 2 New Version Current
Changes made by

Bridget Almas

Bridget Almas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Test scenarios and setup for testing SSO using Auth0 as an IdP

See also tickets

  • Jira Legacy
    serverSystem Jira
    serverId4f23a7bf-fe0d-390f-9b92-bdff15338913
    keyDRYD-1518

...

Configuration Scenario 1

...

Scenario Description

...

Email address used for both username and sso-id, both asserted via attribute in IdP authentication response

...

CSpace User Setup

...

Create a user on CSpace with the email testconfig1@example.com

...

Relevant SAML Config on CSpace Server

...

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-sso-id-probes>

...

Relevant Auth0 IDP Metadata excerpt

...

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig1@example.com</saml:AttributeValue> </saml:Attribute>

...

Expected behavior upon initial login

...

User is found and login succeeds

...

Expected behavior after changing email address on Auth0 IdP

...

User is not found and login fails

...

Configuration Scenario 2

...

Scenario Description

...

Email address used for both username and sso-id, with username asserted via attribute and sso-id via name-id in IdP authentication response

...

Preconditions

...

Create a user on CSpace with the email testconfig2@example.com

...

Auth0 Mappings

...

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

...

Relevant SAML Config on CSpace Server

...

(Note the use of the name attribute for the username because Auth0 will drop the emailaddress attribute in this configuration since email is being used as the nameidentifier.)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.auth0.com/name" />
</assertion-username-probes>
<assertion-sso-id-probes> 
. <name-id/>
</assertion-sso-id-probes>

...

Relevant Auth0 IDP Metadata excerpt

...

  • Jira Legacy
    serverSystem Jira
    serverId4f23a7bf-fe0d-390f-9b92-bdff15338913
    keyDRYD-1683

Basic Setup Instructions

  1. Go to https://auth0.com/

  2. Click the Sign up button

  3. Create an account

  4. In the sidebar, click Applications/Applications

  5. Click Create Application

    • Name: CollectionSpace

    • Application type: Regular Web Applications

  6. Click the Settings tab

  7. In Allowed Callback URLs, enter https://{cspace server}/cspace-services/login/saml2/sso/{your name}-auth0 (replace {cspace server} with the server that is going to use this IdP, and {your name} with some version of your name that has no spaces)

  8. Click the Save Changes button

  9. Click the Addons tab

  10. Turn on SAML2 WEB APP

  11. Click the Settings tab in the pop-up that appears

  12. Make note of the Identity Provider Metadata URL

  13. Click the Enable button

  14. Ask hosting to add the following SSO relying party configuration to the CSpace server you referenced in step 7 (replacing the stuff inside curly braces with appropriate values):

    Code Block
        <relying-party id="{your name}-auth0">
        <name>{your name}'s Auth0</name>
        <icon location="https://cdn.auth0.com/manhattan/versions/1.5422.0/assets/badge.png" />
        <metadata location="{metadata url from step 12}" />
    </relying-party>

    Note that the id above must be the same as the last path element of the URL you entered in step 7.

  15. Wait for the CSpace server to be redeployed and restarted

SAML log in with your IdP should now work. To verify:

  1. Log in to CSpace as an admin user

  2. Create a user in CSpace, and note the username/email

  3. Log out

  4. Log in, selecting Continue with {your name}'s Auth0

  5. The Auth0 log in screen appears. Click to Sign Up link to register a new Auth0 user, using the email from step 2.

You should be logged in as the user you created in step 2.

Useful for further testing:

To log out of the Auth0 account:

  1. In the Auth0 sidebar, click on Applications/Applications

  2. Click on the CollectionSpace application

  3. Note the content of the Domain field

  4. Visit https://{domain}/v2/logout to log out

To change the email of an Auth0 user:

  1. In the Auth0 sidebar, click on User Management/Users

  2. Click on the user to edit

  3. Click on the Actions button, then Change email

  4. Enter the new email

  5. Click the Save button

The test scenarios below specify additional configuration settings for the Auth0 IdP.

Configuration Scenario 1

Scenario Description

Email address used for both username and sso-id, both asserted via attribute in IdP authentication response

CSpace User Setup

Create a user on CSpace with the email testconfig1@example.com

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-sso-id-probes>

Relevant Auth0 IDP Metadata excerpt

<saml:Attribute Name="http://schemas.

auth0.com/name

xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>testconfig2@example

>testconfig1@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is not found and login fails

Configuration Scenario

3

2

Scenario Description

Email address used for both username and sso-id, with username asserted via

name-id

attribute and sso-id via

attribute

name-id in IdP authentication response

Precondition

Preconditions

Create a user on CSpace with the email

testconfig3@example

testconfig2@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

(Note the use of the name attribute for the

sso-id

username because Auth0 will drop the emailaddress attribute in this configuration since email is being used as the nameidentifier.)

Code Block
<assertion-username-probes>
.
<name-id
 <attribute name="http://schemas.auth0.com/name" />
</assertion-username-probes>
<assertion-sso-id-probes> 
.
<attribute name="http://schemas.auth0.com/name" /
<name-id/>
</assertion-sso-id-probes>

Relevant Auth0 IDP Metadata excerpt

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

>testconfig3@example

>testconfig2@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>testconfig3@example

>testconfig2@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is not found and login fails

Configuration Scenario

4

3

Scenario Description

Email address used for both username and sso-id, with

both

username asserted via name-id and sso-id via attribute in IdP authentication response

Precondition

Create a user on CSpace with the email

testconfig4@example

testconfig3@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

Code Block<assertion-

(Note the use of the name attribute for the sso-id because Auth0 will drop the emailaddress attribute in this configuration since email is being used as the nameidentifier.)

Code Block
<assertion-username-probes>
. <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes> 
.
<name-id
<attribute name="http://schemas.auth0.com/name" />
</assertion-sso-id-probes>

Relevant Auth0 IDP Metadata excerpt

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

>testconfig4@example

>testconfig3@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>testconfig4@example

>testconfig3@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is not found and login fails

Configuration Scenario

5

4

Scenario Description

Email address

asserted as username, other id asserted as

used for both username and sso-id, with

each being asserted in a different attribute

both asserted via name-id in IdP authentication response

Precondition

Create a user on CSpace with the email

testconfig5@example

testconfig4@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "
user_id
email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
,
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
}
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
.
<attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </assertion-username-
 <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes>
.
<attribute name="http://schemas.auth0.com/identifier" /
<name-id/>
</assertion-sso-id-probes>

Relevant IDP Metadata excerpt

<saml:Subject> <saml:

Attribute Name

NameID Format="

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig4@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:

attrname-format

cm:

uri

bearer"> <saml:

AttributeValue xsi:type="xs:string">testconfig5@example.com</saml:AttributeValue> </saml:Attribute>

SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/

identifier

name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>auth0|6729603aba7c0c3e1bdf28d5<

>testconfig4@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is not found and login

succeeds (because attribute that is used for sso-id hasn’t changed)

fails

Configuration Scenario

6

THIS IS THE MOST LIKELY ID SETUP

5

Scenario Description

Email address asserted as username, other id asserted as sso-id with

username

each being asserted

an attribute and sso-id in the name-id

in a different attribute

Precondition

Create a user on CSpace with the email

testconfig6@example

testconfig5@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
.<attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
.
<name-id
<attribute name="http://schemas.auth0.com/identifier" />
</assertion-sso-id-probes>

Relevant IDP Metadata

excerpts

excerpt

<saml:

Subject> <saml:NameID Format

Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:

1

2.

1

0:

nameid

attrname-format:

unspecified">auth0|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

uri"> <saml:AttributeValue xsi:type="xs:string">testconfig5@example.com</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="http://schemas.

xmlsoap

auth0.

org/ws/2005/05/identity/claims/emailaddress

com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>testconfig6@example.com<

>auth0|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login succeeds (because

name identifier in the subject

attribute that is

being

used for sso-id hasn’t changed)

Configuration Scenario

7

6

THIS IS THE MOST LIKELY IDP SETUP

Scenario Description

Email address asserted as username, other id asserted as sso-id with username being asserted an attribute and sso-id in the name-id

and sso-id in an attribute

Precondition

Create a user on CSpace with the email

testconfig7@example

testconfig6@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "
email
user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
} }

Relevant SAML Config on CSpace Server

(Note the use of the identifier attribute for sso-id )

  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>

.
. <name-id/> </
<attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>

<assertion-sso-id-probes>

.
. <attribute name="http://schemas.auth0.com/identifier" /> 
<name-id/>
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

>testconfig7@example.com<

>auth0|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-

05T02

05T01:

06

50:

46

42.

509Z

934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.

auth0

xmlsoap.

com/identifier"

org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>auth0|6729603aba7c0c3e1bdf28d5<

>testconfig6@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login succeeds (because

the value for identifier attribute

name identifier in the subject that is being used for sso-id hasn’t changed)

Configuration Scenario

8

Mimics 8.0 functionality in 8.1

7

Scenario Description

Email address asserted as username,

null value

other id asserted as sso-id

,

with

each

username being asserted

as a different

in the name-id and sso-id in an attribute

Precondition

Create a user on CSpace with the email

testconfig8@example

testconfig7@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
"mappings": { "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" } }

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Attribute Name=
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

(Note the use of the identifier attribute for sso-id )

Code Block
<assertion-username-probes>  . 
. <name-id/> 
</assertion-username-probes> 
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/identifier" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig7@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login succeeds (because the value for identifier attribute used for sso-id hasn’t changed)

Configuration Scenario 8

Mimics 8.0 functionality in 8.1

Scenario Description

Email address asserted as username, null value asserted as sso-id , with each being asserted as a different attribute

Precondition

Create a user on CSpace with the email testconfig8@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login fails

Configuration Scenario 9

Mimics 8.0 functionality in 8.1

Scenario Description

Email address asserted as username, null value asserted as sso-id , with username being asserted in name-id and sso-id in an attribute

Precondition

Create a user on CSpace with the email testconfig9@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig9@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login fails

Configuration Scenario 10

Mimics 8.0 functionality in 8.1 - SUCCESS SEQUENCE

Scenario Description

Email address asserted as username, null value asserted as sso-id , with subsequent specification of a valid sso-id to enable subsequent login after email change.

Precondition

Create a user on CSpace with the email testconfig10@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login fails

Configuration Scenario 9

Mimics 8.0 functionality in 8.1

Scenario Description

Email address asserted as username, null value asserted as sso-id , with username being asserted in name-id and sso-id in an attribute

Precondition

Create a user on CSpace with the email testconfig9@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

Code Block<assertion-username-probes> . <name-id/> </assertion-username-probes> <assertion-sso-id-probes> . . 
nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server (Step 1)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts (Step 1)

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Relevant SAML Config on CSpace Server (Step 2)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.
auth0.com/nonexistent
xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />

</assertion-username-probes>
<assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig9@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login fails

Configuration Scenario 10

Mimics 8.0 functionality in 8.1 - SUCCESS SEQUENCE

Scenario Description

Email address asserted as username, null value asserted as sso-id , with subsequent specification of a valid sso-id to enable subsequent login after email change.

Precondition

Create a user on CSpace with the email testconfig10@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id":  . 
. <name-id/> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts (Step 2)

Relevant IDP Metadata excerpts (Step 1)

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/

nameidentifier", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" } }

Relevant SAML Config on CSpace Server (Step 1)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

<saml:Attribute Name=emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig10@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior after SAML config change

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP after SAML config change

User is found and login succeeds

Configuration Scenario 11

Scenario Description

Using untyped Attributes. Email address asserted as username, other id asserted as sso-id with each being asserted in a different attribute

Precondition

Create a user on CSpace with the email testconfig5@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds
nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Auth0 Additional Settings

typedAttributes: false (Verify this by using the debug output option in Auth0 and confirm that the attributes are in fact untyped as in the excerpt below)

Relevant SAML Config on CSpace Server

(Step 2)

Code Block
<assertion-username-probes>
.
<attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>

. <attribute name="http://schemas.
<name-id
auth0.com/identifier" />

</assertion-sso-id-probes>

Relevant IDP Metadata

excerpts (Step 2)<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method

excerpt

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:

cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation>

attrname-format:uri"> <saml:AttributeValue>testconfig5@example.com</saml:AttributeValue> </saml:

Subject>

Attribute>

<saml:Attribute Name="http://schemas.

xmlsoap

auth0.

org/ws/2005/05/identity/claims/emailaddress

com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:

AttributeValue xsi:type="xs:string">testconfig8@example.com<

AttributeValue>auth0|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>

Expected behavior

after SAML config change

upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

after SAML config change

User is found and login succeeds (because attribute that is used for sso-id hasn’t changed)