Skip to main content
User Attribute Profile with Self-Service SSO is currently in Early Access for B2B Professional and B2B Enterprise customers. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0 release stages, read Product Release Stages.
The User Attribute Profile (UAP) provides a consistent way to define, manage, and map user attributes across protocols such as SCIM, SAML, and OIDC. UAP with Self-Service SSO gives administrators greater control over user identity data by defining user attributes and applying the profile across authentication protocols.

How it works

  • Profile Definition An administrator creates a User Attribute Profile to define attributes, including:
    • How to display attributes
    • How to make attributes required
    • How attributes map to Auth0 and external identity systems
  • Flexible Scope Profiles are linked to Self-Service SSO flows but are designed for provisioning, onboarding, and entitlement management.
  • Unified Mapping Layer Each attribute supports mappings across authentication protocols with the option to override values for specific providers or connection strategies, such as Okta and Entra ID.

Attribute mapping and override

UAP supports multi-protocol attribute definitions and strategy overrides for provider-specific needs. Attribute mapping
ProtocolDescription
Auth0 MappingCanonical attribute stored in Auth0 (email, name, app_metadata.department).
OIDC MappingStandard OIDC claims (sub, preferred_username, zoneinfo). To learn more about OIDC standard claims, read Standard Claims.
SAML MappingSupports one or more assertion URIs (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
SCIM MappingProvisioning attributes (name.familyName, addresses[type eq "work"].country).
Strategy overrides Some providers use non-standard mappings. UAP allows overrides:
ProtocolDescription
SAMLMap userName instead of externalId.
WAAD (Entra ID)Use oid as the OIDC identifier.
OktaMap attributes such as middleName or federated_groups using Okta-specific claims.

User ID

The user_id property defines how to map OIDC claims, SAML attributes, or SCIM attributes to the Auth0 user ID. Every Auth0 user must have an ID, so this mapping is required.
  • For OIDC, the choices are rigid (typically sub, or oid for Azure AD, or email for Google).
  • For SAML and SCIM, the mapping is more flexible and can point to multiple possible attributes.

User attributes

The user_attributes property contains mapping information allows the system to interpret incoming claims from the IdP and store them as Auth0 user profile attributes. Each attribute must be provided as a key/value pair:
  • The key corresponds to the attribute name.
  • The value is an object with:
    • label
    • description
    • profile_required
    • auth0_mapping
    • saml_mapping
    • scim_mapping
    • oidc_mapping an object with properties
      • mapping represents the incoming claim from the IdP (literal value, dynamic context object, or both using ${variable} syntax supporting the context object)
      • display_name the label shown to end users in self-service flows

Strategy overrides

The strategy_overrides property allows you to specify exceptions for individual identity providers (IdPs), since not all IdPs expose the same identifiers or claims. Each override defines protocol-specific mappings that replace the defaults defined in user_id or user_attributes.

Examples

User identifier

"user_id": {
  "oidc_mapping": "sub",
  "saml_mapping": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "scim_mapping": "externalId",
  "strategy_overrides": {
    "waad": {
      "oidc_mapping": "oid"
    },
    "samlp": {
      "scim_mapping": "userName"
    },
    "google-apps": {
      "oidc_mapping": "email"
    }
  }
},
  • Default identifier: externalId via SCIM.
  • SAML: Multiple identifier URIs supported.
  • OIDC: Uses sub.
  • Overrides: SAML and WAAD customize mappings.

Email attribute

"email": {
  "description": "Email",
  "label": "Email",
  "profile_required": true,
  "auth0_mapping": "email",
  "scim_mapping": "emails[primary eq true].value",
  "oidc_mapping": {
    "mapping": "${context.tokenset.email}",
    "display_name": "email"
  },
  "saml_mapping": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "strategy_overrides": {
    "waad": {
      "scim_mapping": "emails[type eq \"work\"].value"
    }
  }
}
  • Suggested for most profiles.
  • Unified across Auth0, OIDC, SAML and SCIM.
  • WAAD override ensures correct mapping to work emails.

Create a User Attribute Profile

You can define a UAP through Self-Service SSO using the Auth0 Dashboard or the Management API. Currently, it can be configured through the Self-Service SSO experience.
  • Auth0 Dashboard
  • Management API
  1. Navigate to Authentication > Enterprise > Self-Service SSO.
  2. Select +Create Profile.
  3. Provide a Name and optional Description for the new profile.
  4. Add a User Attribute Profile entry by either selecting an existing profile or choosing +Create New.
    • For a new profile, provide a User Profile Attribute Name.
    • Review mappings to ensure the profile attributes are mapping to your preferred Auth0 attributes.
  5. Choose Create.
Your new UAP is available to configure for SSO.

References

APIs

To manage User Attribute Profiles, the following Management API endpoints are available:
  • POST /api/v2/user-attribute-profiles
  • GET /api/v2/user-attribute-profiles
  • PATCH /api/v2/user-attribute-profiles/{id}
  • GET /api/v2/user-attribute-profiles/{id}
  • GET /api/v2/user-attribute-profiles/templates
  • GET /api/v2/user-attribute-profiles/templates/{id}

Learn more