SAML Custom User Provisioning

I have set up up the SAML module, which also works with the default user group assignment. Now I would like to assign the corresponding user roles in Mendix to different users based on the claim "userrole" of the IDP. My current sub-microflow in the 'CustomUserProvisioning' Microflow first uses the list operation "Find" on AssertionAttributeList to search for the value "Admin" (is there a better way because I also know the claim key – which is “userrole”). After the Find OperationI have an exclusive split that checks if the find operation != empty (is that correct?). If true then I would like to assign the user role "Admin" to the user - but I haven't found out how to do this yet. For testing purposes I have set the attribute "WebServiceUser" to true - which doesn't work either. Can someone give a detailed description how to set up such a custom user provision or knows why it doesn't work for me? Thank you
5 answers

One thing i found when implementing SSO and custom user provisioning was to retrieve the User role from the database using xpath and then assigning that association to the user. You might have to retrieve the current user account to assign these if your initial retrieve is not providing an account to assign the role to.

for the retrieve x-path

and then assigning


Hi Branden,
Thank you very much for your detailed answer with the very helpful screenshots. I build it according to your template - first I retrieve the current user from System.User with [id = '[%CurrentUser%]'] and the UserRole I want to assign from System.UserRole with [id = '[%UserRole_Administrator%]']) and then assign this userrole to the CurrentUser:

But I get the following error in the SAML log:

Change object 'CurrentUser' should not be null
at SAML20.Azure_Assign_UserRole (Change : 'Change 'CurrentUser' (UserRoles)')

This sounds to me as if the retrieve of the current user does not work properly. Do I really have to retrieve the current user from System.User or Administration.Account?

Also what is the most elegant way to look in the AssertionAttributeList for the key “userrole” with a sepecific value (e.g. “user”)? Should I use a loop or can I just use a ListOperation Find? If yes, how do I check whether the ListOperation was successful?

Thanks for your help


Thank you very much for your detailed help. It works now. Here my attempt to understand what went wrong:

Since the annotation of the SAML microflow 'CustomUserProvisioning' says that logic should be included "by calling microflows containing said logic from this microflow" I packed my logic into a submicroflow and copied the parameters from 'CustomUserProvisioning'.
By that Mendix – or I? – seem to have inserted the argument $currentUser to the parameter System.User when passing the parameters from 'CustomUserProvisioning' Microflow to my submicroflow - which I hadn't noticed until yesterday. The current user is - as I learned through your comments - not available on this system level at this time, which is why I always got the error Change object 'User' should not be null.

Now I packed the whole logic directly into the microflow 'CustomUserProvisioning' and it works.

Here is my current solution:


Thanks for your help, patience and the screenshots.


Hey Rom, thanks for the quick reply. I deleted the retrieve and now I am only

  1. Retrieving the UserRole I want to assign from System.UserRole
  2. Changing the “current User” (System.User) – which is the User input parameter you were talking about right?
    and then assigning the user role assoziation to it.


Nevertheless I get the following error in the SAML log: 

Change object 'currentUser' should not be null.




Thanks guys,

I have not put a ChangeObject action on the User input parameter and assign the retrieved user role.

Still getting this error in SAML:
Change object 'User' should not be null

@Ronald: What do you mean by ‘retrieve the user based on the input parameter of the SAML’ – how would I do that in the microflow? The User parameter is already there right?