Get user email in claims with saml

bartetlau · 16 Apr 2025, 16:40

Hi,

I m using FusionAuth with SAML and Azure AD.
In my project .net, I use the api oauth2/token to get a token with a code given by the redirect url in front.
In this token, I have claims but I would like to have the userEmail from azure ad.
How do that please?

mark.robustelli · 17 Apr 2025, 15:30

@bartetlau Have you had a chance to check out FusionAuth Lambdas? Specifically, SAML v2 Populate Lambda? Does that get you what you need?

laurent.bartet · 22 Apr 2025, 14:55

Hi,

Thank you for your reply,

I created a lambda very simple:

// Using the samlResponse, reconcile the User and User Registration.
function reconcile(user, registration, samlResponse) {
console.debug("Lambda Start");
user.data = user.data || {};
user.data.country = "France";
console.log('Lambda finish!');
}

Assigned to the good identity but finaly user.data is void and I don't have log events or debug envents.
I don't know if it's running.

Thanks,

mark.robustelli · 22 Apr 2025, 18:33

@laurent-bartet

What kind of Lambda did you create? Did you assign the Lamba to the application?

If it was SAML V2 Poulate then make sure it is assigned to your application.

Applications -> {Your Application} -> SAML tab -> Authentication response -> Populate Lambda -> {Choose the lambda you created}

Also make sure you have Debug enabled set on the Lambda.

Let me know if this helps.

laurent.bartet · 23 Apr 2025, 08:02

@mark-robustelli

It's a Reconcile assigned to a saml identity provider but I have nothing in event log, the Debug mode is activated.
You can see my screenshots.

mark.robustelli · 23 Apr 2025, 15:13

@laurent-bartet Since it is a SAML reconcile lambda, do you have it assigned to the Identity Provider?

Settings -> Identity Providers -> {Your SAML v2 Identity Provider} -> Edit -> Reconcile Lambda

laurent.bartet · 24 Apr 2025, 07:56

Yes it was assigned to a saml identity provider:

mark.robustelli

@laurent-bartet hmm.., since the lambda seems to be set up correctly but appears to not be hitting, let's take a step back and look at the configuration. Can you tell me a little more about that? What identity providers you are using and how they are configured? I read you are using SAML, but it appears in the log that you are using OAuth2. If you are using OAuth2, you might be able to use a JWT populate lambda in that case, but would like to know more about your setup.

laurent.bartet

@mark-robustelli
Hi,

I found my problem, I had to use the fusionauth logout before.
Now all is ok.
Thank you for your help!

mark.robustelli

@laurent-bartet awesome! So it sounds like you had things set up right, you just were not logged out, so when you went back the reconcile event never took place cause you were already logged in. Is that right?