Multi-value mapping for SAML custom attributes
- Category
- SAML
- Published
SAML custom attributes can now map every value an identity provider sends into an array on publicMetadata, instead of keeping only the first.
SAML custom attributes can now be mapped as multi-valued. When an identity provider sends an attribute with more than one value (common for groups or roles in Okta and Microsoft Entra ID), Clerk writes every value to the user's publicMetadata as an array. Previously, only the first value was kept.
Enable multi-value attributes
Open an enterprise connection in the Clerk Dashboard, edit a SAML custom attribute, and turn on Allow multiple values. Matching values are written to publicMetadata always as an array []. If the provider doesn't send the attribute at all, the key isn't written.
The same control is available on the Backend API as a multi_valued field on each custom attribute.
Compatibility
Multi-value mapping is off by default. Existing custom attributes are unchanged and continue to map the first value. No migration or reconfiguration is required.
Refer to the Multi-valued attributes documentation for setup details and how the setting interacts with SCIM.