When registration is updated ?

  • I need to get groups of user from my SAML Response, and set it in my JWT token. But my lambda SAML reconcile function is not called for each login process. Is it normal ?

  • Hmmm. I haven't heard of that behavior before.

    A few more questions:

    • What version of FusionAuth are you running?
    • Have you enabled SAML debugging? Is there anything in the event log that might be useful? System -> Event Log in the admin UI will show extra debugging.
    • Can you share your lambda SAML reconcile function code?

    To do this in general, that should be possible with custom data. Reconcile the groups and other info, store it in the user.data and then extract it in the JWT populate lambda.


    PS @didier-rano , welcome to the FusionAuth community!

  • FusionAuth version: 1.24.0

    In saml response debug, I can see one group:
    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">

    My saml reconcile lambda:

    function reconcile(user, registration, samlResponse) {
    // as default and add
    user.data = user.data || {};
     user.data.groups = defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') || [];  
     registration.data = registration.data || {};  
     registration.data.groups = defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') || [];

    My jwt populate lambda:

    function populate(jwt, user, registration) {
      jwt.groups = registration.data.groups;

    Finally my jwt.groups is empty, and registration.data is empty (user.data is empty too).

    Thanks Dan

  • Hmmm.

    What is defaultIfNull? I'm not familiar with that function.

    Can you save other information to the user.data field (like a test string) in the reconcile lambda and have it read in the populate jwt lambda?

    What does logging defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') reveal?

  • Reconcile function comes with default implementation, defaultIfNull is defined in it:

      var getAttribute = function(samlResponse, attribute) {
        var values = samlResponse.assertion.attributes[attribute];
        if (values && values.length > 0) {
          return values[0];
        return null;
      // Retrieve an attribute from the samlResponse
      // - Arguments [2 .. ] provide a preferred order of attribute names to lookup the value in the response.
      var defaultIfNull = function(samlResponse) {
        for (var i=1; i < arguments.length; i++) {
          var value = getAttribute(samlResponse, arguments[i]);
          if (value !== null) {
            return value;

    In this lambda, I added a fixed value in user.data.fixed and same in registration.data.fixed. But jwt populate lambda cannot see this value.

    In fact, I can see log event for jwt populate lambda, but not log event for SAML v2 IdP Response Debug Log. It looks like that my user is registered one time only.

  • Capture.JPG

  • Hmmm....

    What SAML IdP are you trying to integrate with?

  • With Azure AD

  • Is there a reason you can't use OIDC + Azure AD? https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad/ is pretty thorough.

  • With Azure AD, creating an application registration is the way to integrate a custom application (built by customers) in Azure AD. The way to integrate a SaaS is better using an Enterprise Application then SAML.
    In screen shot, you can see some existing integrations with apps using Enterprise Application integration.
    Moreover, sharing a client secret could be problematic for some customers.


  • Do you know if some of fusionauth users are using Enterprise Application approach with OpenID Connect ?

  • @didier-rano

    It looks like there are two issues.

    The first is that the SAML login lambda runs after the JWT populate lambda (or at the least the order is indeterminate) so your groups aren't being propagated, at least for Azure AD. More concerning to me is the fact that you are only seeing one SAML reconciliation for your user. I would expect that lambda to run every time the user logs in.

    These feel like issues to raise on our issues repo, preferably with reproduction steps. I have been trying to find time to replicate it and file the issue, but if you can, that'd be very helpful.

    The second is whether we support Enterprise Applications. I don't know if any of the community is using that particular feature. That does make sense why you are not interested in OIDC, however. Do you have a link for the Azure docs on this so I could learn more (I googled for them, but wasn't able to find anything relevant).

Log in to reply

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.