AuthHub SAML - Minimum required claims to allow for successful migration and sign in
Article ID: 376022
Updated On:
Products
Issue/Introduction
As part of the migration to AuthHub from Auth0 there are now some minimum requirements in terms of claim rules that must be setup within your SAML application.
The minimum required claims are:
- name
- roles
If these claims aren't present you will receive one of the following error messages -
- Sorry, we are unable to log you in at this time.
- https://apps.cloudhealthtech.com/auth/authhub/callback?error=INVALID_REQUEST&error_description=The attribute corresponding to configured idpTokenSubjectClaim in the Identity Provider configuration is either not present in the assertion/token received from the provider or its value cannot be extracted
- https://support.broadcom.com/web/ecx/permission-denied?error=INVALID_REQUEST&error_description=Value%20of%20Identity%20Subject%20Claim:%20%27email%27%20could%20not%20be%20fetched%20from%20SAMLResponse
Resolution
Please review and ensure the minimum claims are published by your SAML application in order to successfully migrate to AuthHub SAML.
Under our previous provider Auth0 claims such as "NameID" and "Unique User Identifier (Name ID)" could be used instead of an "email" claim but AuthHub requires an "email" claim to be present.
Additionally a claim rule of "emailaddresss" cannot be used in place of "email", any "emailaddress" claim rule must be updated to have the name "email"
Finally in all cases the claims must not be name spaced also e.g
- Within Azure AD (Entra ID) this is set at a per claim level -
- Within Okta the namespace is defined as "format" and must be set as "unspecified" -
Feedback
