This article explains how to configure the Security Assertion Markup Language (SAML) Web App add-on to emit only explicitly mapped attributes. This guide provides the necessary settings and a "Post-Login" Action code snippet to suppress default claims, such as User Principal Name (UPN), when integrating with a strict Service Provider (SP).

• Security Assertion Markup Language (SAML)
• SAML 2.0 Web App
• Post-Login Actions
• SAML Assertions

By default, the SAML 2.0 Web App add-on includes core user profile attributes and identity information in the Attribute Statement. Even when passthrough claims are disabled, certain default claims, such as UPN, are automatically generated by the identity provider.

Follow these steps to configure the add-on settings and implement a Post-Login Action to remove unwanted attributes:

1. Navigate to Dashboard > Applications.
2. Select the application configured as the SAML Identity Provider (IdP).
3. Go to the Addons tab.
4. Select SAML2 Web App to open the Settings tab.
5. In the Settings JSON, update or add the following flags:
   • Set passthroughClaimsWithNoMapping to false to prevent attributes not defined in the mappings from being added.
   • Set mapIdentities to false to prevent user identity information, such as connection or provider details, from being added.
6. Select Save.
7. To remove the UPN claim, create a new "Post-Login" Action.
8. Use the following code snippet in the Action:

   exports.onExecutePostLogin = async (event, api) => {
     api.samlResponse.setCreateUpnClaim(false);
   };

9. Deploy the Action and add it to the Login flow.

NOTE: For more information on available settings, refer to the Customize SAML Assertions documentation.