@@ -103,6 +103,25 @@ At a minimum, you must add the following to your project's settings:
103103 values associated with the attr_* keys correspond to the keys specified as
104104 attributes in the IDP.
105105
106+ .. important ::
107+
108+ **Version 4.8.0+ Behavior Change: **
109+
110+ When you explicitly configure an attribute (e.g., ``attr_first_name ``), that
111+ attribute **must ** be present in the SAML response from the IdP. If it is
112+ missing, authentication will fail with an error like:
113+ ``Missing needed parameter first_name (configured by attr_first_name) ``.
114+
115+ **Options: **
116+
117+ 1. **Remove the configuration ** if the attribute is not provided by your IdP.
118+ The backend will automatically try to map using built-in attribute names.
119+
120+ 2. **Ensure your IdP provides the attribute ** with the exact name you configured.
121+
122+ 3. **Use the correct attribute name ** from your IdP's SAML response (check
123+ the actual attribute names sent by your IdP).
124+
106125 Extending on the "testshib" example::
107126
108127 {
@@ -124,6 +143,15 @@ At a minimum, you must add the following to your project's settings:
124143 Note: testshib does not provide email as an attribute. This was tested using
125144 Okta and G Suite (formerly Google Apps for Business).
126145
146+ **Built-in Attribute Mappings: **
147+
148+ If you omit the ``attr_* `` configuration keys, the backend will automatically
149+ try to extract user details using a list of commonly used attribute names,
150+ including both namespaced URN variants (like
151+ ``http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname ``) and
152+ simple names (like ``first_name ``, ``firstName ``, ``given_name ``). Missing
153+ attributes will be silently ignored when using the built-in mappings.
154+
127155Basic Usage
128156-----------
129157
@@ -225,6 +253,51 @@ particular, there are two methods that are designed for subclasses to override:
225253 inspecting the passed attributes parameter, do nothing to allow the user to
226254 login, or raise ``social_core.exceptions.AuthForbidden `` to reject the user.
227255
256+
257+ Troubleshooting
258+ ---------------
259+
260+ **Error: "Missing needed parameter first_name (configured by attr_first_name)" **
261+
262+ This error occurs when you have explicitly configured an attribute mapping (like
263+ ``attr_first_name ``) but your IdP is not providing that attribute in the SAML
264+ response.
265+
266+ **Solution: **
267+
268+ 1. **Check what attributes your IdP actually provides. ** Inspect the SAML
269+ response from your IdP to see the exact attribute names being sent.
270+
271+ 2. **Remove unused attribute configurations. ** If your IdP doesn't provide
272+ ``first_name ``, simply remove ``"attr_first_name": "first_name" `` from your
273+ configuration. The backend will try to use built-in mappings instead.
274+
275+ 3. **Use the correct attribute name. ** If your IdP provides the attribute with
276+ a different name (e.g., ``givenName `` or a namespaced URN like
277+ ``http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname ``), use
278+ that name in your configuration::
279+
280+ "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
281+
282+ 4. **Configure your IdP ** to include the attribute in the SAML response if you
283+ need it.
284+
285+ **Example: ** For Google G Suite SSO, if you're not receiving ``first_name `` and
286+ ``last_name `` attributes, remove those configurations and let the backend use
287+ its built-in mappings::
288+
289+ SOCIAL_AUTH_SAML_ENABLED_IDPS = {
290+ "gsuite": {
291+ "entity_id": "...",
292+ "url": "...",
293+ "x509cert": "...",
294+ "attr_user_permanent_id": "email",
295+ "attr_username": "email",
296+ "attr_email": "email",
297+ # Remove attr_first_name and attr_last_name if not provided by IdP
298+ }
299+ }
300+
228301.. _python3-saml : https://github.com/onelogin/python3-saml
229302.. _TestShib : https://www.testshib.org/
230303.. _metadata : https://www.testshib.org/metadata/testshib-providers.xml
0 commit comments