> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how the User Attribute Profile allows you configure users for SCIM provisioning through the Self-Service experience.

# User Attribute Profile

export const ReleaseStageNotice = ({feature, stage, plans, contact, terms}) => {
  const stageTextMap = {
    "beta": "Beta",
    "ea": "Early Access"
  };
  const stageText = stageTextMap[stage] || "a product release stage";
  const prsLink = "/docs/troubleshoot/product-lifecycle/product-release-stages";
  const linkify = (text, url) => {
    return <a href={url} target="_blank" rel="noreferrer" class="link">{text}</a>;
  };
  const includeDetails = (plans, contact, terms) => {
    const hasDetails = terms || plans || contact;
    if (!hasDetails) return null;
    return <span data-as="p">
            {plans && <>This feature is available for {linkify(`${plans} plans`, "https://auth0.com/pricing")}. </>}
            {contact && "To participate, contact " + contact + ". "}
            {terms && <>By using this feature, you agree to the applicable Free Trial terms in Okta's {linkify("Master Subscription Agreement", "https://www.okta.com/legal")}.</>}
        </span>;
  };
  return <Warning>
            <span data-as="p">
                <strong>The {feature} feature is in {linkify(stageText, prsLink)}.</strong>
            </span>

            {includeDetails(plans, contact, terms)}
        </Warning>;
};

<ReleaseStageNotice feature="User Attribute Profile with Self-Service Enterprise Configuration" stage="ea" plans="B2B Professional and B2B Enterprise" terms="true" />

The User Attribute Profile (UAP) provides a consistent way to define, manage, and map user attributes across protocols such as [SCIM](/docs/authenticate/protocols/scim), [SAML](/docs/authenticate/protocols/saml), and [OIDC](/docs/authenticate/login/oidc-conformant-authentication). UAP with [Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration) gives administrators greater control over user identity data by defining user attributes and applying the profile across authentication protocols.

## How it works

* **Profile Definition**
  An administrator creates a User Attribute Profile to define attributes, including:
  * How to display attributes
  * How to make attributes required
  * How attributes map to Auth0 and external identity systems

* **Flexible Scope**
  Profiles are linked to Self-Service Enterprise Configuration flows but are designed for provisioning, onboarding, and entitlement management.

* **Unified Mapping Layer**
  Each attribute supports mappings across authentication protocols with the option to override values for specific providers or connection strategies, such as Okta and Entra ID.

## Attribute mapping and override

UAP supports multi-protocol attribute definitions and strategy overrides for provider-specific needs.

**Attribute mapping**

| **Protocol**  | **Description**                                                                                                                                                                                         |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Auth0 Mapping | Canonical attribute stored in Auth0 (`email`, `name`, `app_metadata.department`).                                                                                                                       |
| OIDC Mapping  | Standard OIDC claims (`sub`, `preferred_username`, `zoneinfo`). To learn more about OIDC standard claims, read [Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). |
| SAML Mapping  | Supports one or more assertion URIs `(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).`                                                                                             |
| SCIM Mapping  | Provisioning attributes (`name.familyName`, `addresses[type eq "work"].country`).                                                                                                                       |

**Strategy overrides**

Some providers use non-standard mappings. UAP allows overrides:

| **Protocol**    | **Description**                                                                       |
| --------------- | ------------------------------------------------------------------------------------- |
| SAML            | Map userName instead of `externalId`.                                                 |
| WAAD (Entra ID) | Use `oid` as the OIDC identifier.                                                     |
| Okta            | Map attributes such as `middleNam`e or `federated_groups` using Okta-specific claims. |

### User ID

The user\_id property defines how to map OIDC claims, SAML attributes, or SCIM attributes to the Auth0 user ID. Every Auth0 user must have an ID, so this mapping is required.

* For OIDC, the choices are rigid (typically `sub`, or `oid` for Azure AD, or `email` for Google).
* For SAML and SCIM, the mapping is more flexible and can point to multiple possible attributes.

### User attributes

The `user_attributes` property contains mapping information allows the system to interpret incoming claims from the IdP and store them as Auth0 user profile attributes.

Each attribute must be provided as a key/value pair:

* The key corresponds to the attribute name.
* The value is an object with:
  * `label`
  * `description`
  * `profile_required`
  * `auth0_mapping`
  * `saml_mapping`
  * `scim_mapping`
  * `oidc_mapping` an object with properties
    * `mapping` represents the incoming claim from the IdP (literal value, dynamic context object, or both using `${variable}` syntax supporting the [context object](/docs/authenticate/identity-providers/enterprise-identity-providers/configure-pkce-claim-mapping-for-oidc#context-object))
    * `display_name` the label shown to end users in self-service flows

### Strategy overrides

The `strategy_overrides` property allows you to specify exceptions for individual identity providers (IdPs), since not all IdPs expose the same identifiers or claims.

Each override defines protocol-specific mappings that replace the defaults defined in `user_id` or `user_attributes`.

## Examples

### User identifier

```json theme={null}
"user_id": {
  "oidc_mapping": "sub",
  "saml_mapping": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "scim_mapping": "externalId",
  "strategy_overrides": {
    "waad": {
      "oidc_mapping": "oid"
    },
    "samlp": {
      "scim_mapping": "userName"
    },
    "google-apps": {
      "oidc_mapping": "email"
    }
  }
},
```

* **Default identifier**: `externalId` via SCIM.
* **SAML**: Multiple identifier URIs supported.
* **OIDC**: Uses `sub`.
* **Overrides**: SAML and WAAD customize mappings.

### Email attribute

```json theme={null}
"email": {
  "description": "Email",
  "label": "Email",
  "profile_required": true,
  "auth0_mapping": "email",
  "scim_mapping": "emails[primary eq true].value",
  "oidc_mapping": {
    "mapping": "${context.tokenset.email}",
    "display_name": "email"
  },
  "saml_mapping": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "strategy_overrides": {
    "waad": {
      "scim_mapping": "emails[type eq \"work\"].value"
    }
  }
}
```

* Suggested for most profiles.
* Unified across Auth0, OIDC, SAML and SCIM.
* WAAD override ensures correct mapping to work emails.

## Create a User Attribute Profile

You can define a UAP through Self-Service Enterprise Configuration using the Auth0 Dashboard or the Management API. Currently, it can be configured through the Self-Service Enterprise Configuration experience.

### Configure with Auth0 Dashboard

1. Navigate to [**Authentication > Enterprise > Self-Service Enterprise Configuration**](http://manage.auth0.com/*/connections/enterprise/self-service-profiles).
2. Select **+Create Profile**.
3. Provide a **Name** and optional **Description** for the new profile.
4. Add a User Attribute Profile entry by either selecting an existing profile or choosing **+Create New**.
   * For a new profile, provide a **User Profile Attribute Name**.
   * Review mappings to ensure the profile attributes are mapping to your preferred Auth0 attributes.
5. Choose **Create**.

Your new UAP is available to configure for SSO.

### Configure with Management API

To manage User Attribute Profiles, the following [Management API](https://auth0.com/docs/api/management/v2/introduction) endpoints are available:

* `POST` `/api/v2/user-attribute-profiles`
* `GET` `/api/v2/user-attribute-profiles`
* `PATCH` `/api/v2/user-attribute-profiles/{id}`
* `GET` `/api/v2/user-attribute-profiles/{id}`
* `GET` `/api/v2/user-attribute-profiles/templates`
* `GET` `/api/v2/user-attribute-profiles/templates/{id}`

## Learn more

* [Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration)
* [Configure PKCE and Claim Mapping for OIDC Connections](/docs/authenticate/identity-providers/enterprise-identity-providers/configure-pkce-claim-mapping-for-oidc)
* [Map SAML Attributes with Auth0 as IdP/SAML Add-on](/docs/authenticate/protocols/saml/saml-configuration/saml-attribute-mapping-examples)
* [Map AD/LDAP Profile Attributes to Auth0 User Profile](/docs/authenticate/protocols/saml/saml-configuration/saml-attribute-mapping-examples)