Anggakara
Anggakara2d ago

Email is empty (EMAIL-spblu)

somehow cannot connect to zitadel after microsoft entraID redirection. in this endpoint https://{{SELF_HOST}}/ui/login/login/externalidp/saml/acs we able to receive these data - http://schemas.microsoft.com/identity/claims/tenantid - http://schemas.microsoft.com/identity/claims/objectidentifier - http://schemas.microsoft.com/identity/claims/displayname - http://schemas.microsoft.com/identity/claims/identityprovider - http://schemas.microsoft.com/claims/authnmethodsreferences - http://schemas.microsoft.com/claims/authnmethodsreferences - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name but still receive the Email is empty (EMAIL-spblu) error. already follow these tutorial but still have the error - https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-saml - https://youtu.be/1v5W42yznnY?si=d_9-85kcLXiiXm8N
8 Replies
Ask Inkeep
Ask Inkeep2d ago
Hi @Anggakara, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I can see you're receiving the email attribute from Entra ID correctly (<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress%60)> but ZITADEL is still showing an empty email error. Based on the ZITADEL documentation, you can use an Action to properly map the Entra ID SAML attributes to ZITADEL user fields [(1) ](<https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-saml>) [(2) ](<https://zitadel.com/docs/apis/actions/code-examples>) . Here's the exact code from the documentation for mapping Entra ID SAML attributes: ```javascript /** * Use SAML attributes from entra id SAML SP as attributes for user creation/update * * Flow: External Authentication, Trigger: Post authentication * * @param ctx * @param api */ function prefilRegisterFromEntraId(ctx, api) { if (ctx.v1.externalUser.externalIdpId != "<SAML SP id>") { return } // the attribute names below represent the crewjam IDP example, be sure to update them to match your provider info let firstname = ctx.v1.providerInfo.attributes["<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname%22%5D;> let lastname = ctx.v1.providerInfo.attributes["<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname%22%5D;> let email = ctx.v1.providerInfo.attributes["<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress%22%5D;> let displayname = ctx.v1.providerInfo.attributes["<http://schemas.microsoft.com/identity/claims/displayname%22%5D;> // username would look like this: adlerhurst_zitadel.com#EXT#@adlerhurstzitadel.onmicrosoft.com let username = ctx.v1.providerInfo.attributes["<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name%22%5D;> if (firstname != undefined) { api.setFirstName(firstname[0]) ; } if (lastname != undefined) { api.setLastName(lastname[0]) ; } if (email != undefined) { api.setEmail(email[0]) ; api.setEmailVerified(true) ; } if (displayname != undefined) { api.setDisplayName(displayname[0]) ; } if (username != undefined) { api.setPreferredUsername(username[0]) ; } } ``` To implement this: 1. Go to your target organization's settings page [(1) ](<https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-saml>) 2. Add a new action with the above code, ensuring the action name matches the function name 3. Replace <SAML SP id> with your actual SAML provider configuration ID 4. Add the action to the "External Authentication" flow and trigger it on "Post Authentication" This Action will properly map the email attribute from http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress%60 to ZITADEL's email field and set it as verified (1) (2) . ​ To learn more, see the sources I considered: [1] Configure Entra ID as a SAML Service Provider in ZITADEL [2] Code examples ​ Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Anggakara
AnggakaraOP2d ago
your suggestion only applies if i use manual registration, but i use Automatic creation
No description
Anggakara
AnggakaraOP2d ago
when i try to look into the SAML code, the email always return empty string. cmiiw 
// GetEmail is an implementation of the [idp.User] interface.
func (u *UserMapper) GetEmail() domain.EmailAddress {
    return ""
}
// GetEmail is an implementation of the [idp.User] interface.
func (u *UserMapper) GetEmail() domain.EmailAddress {
    return ""
}
No description
Matías
Matías2d ago
Hi @Anggakara, thanks for reaching out! Using an Action to map user attributes from an external IdP is both for manual registration and for automatic creation. There are no predefined mappings, so unless you map the necessary user attributes using an Action, Automatic creation will fail with an error like the one you are receiving, complaining about a missing attribute or another. The examples in the current documentation use Actions V1 for attribute mappings. This will work as long as you use the Login V1, but both will be deprecated in Zitadel V5.x. The recommended approach moving forward is to use the new Login V2 along with Actions V2. I hope that helps!
ZITADEL Docs
ZITADEL provides a hosted single-sign-on page to securely sign-in users to your applications.
Anggakara
AnggakaraOP16h ago
hi @Maik thanks a lot for the explanation now i am able to use the SSO SAML using v1. i'll try to use the v2 :zitadel:
Gigi the Giraffe (Zitadel)
Gigi the Giraffe (Zitadel)16h ago
@Anggakara, you cannot mark your own questions as solved.
Anggakara
AnggakaraOP16h ago
whoops my bad 😂
Ask Inkeep
Ask Inkeep16h ago
Glad I could be helpful. Feel free to create a new thread with any new questions you may have.

Did you find this page helpful?