Passing SAML attributes to SaaS Applications from Google Workspace

TL;DR:

  1. How do I pass custom attributes to external SaaS applications in the SAML assertion?
  2. Can this be done through the OAuth App rather than a custom SAML IdP?

I’m testing Cloudflare Access with some of our SaaS applications and I’m particularly interested in evaluating the JIT provisioning capabilities.

Some of the SaaS Applications requires extra attributes in the SAML assertions to enable JIT provisioning. As an example:

We’re using Google Workspace as our IdP and it seems there are two ways to configure it:

1. as an OAuth App

As per the documentation, with an OAuth app. This allows to pull group membership information but I couldn’t figure out how to add more fields.

2. as a custom SAML IdP

This allows me to specify a mapping for SAML attributes in Google Workspace:

And specify them in CloudFlare access:

Then they show up in Cloudflare Access:

"custom": {
    "teams": "3f3cb4....b6a7/member",
    "admin": "false",
    "department": "Test"
  }

But they are not passed to the SaaS app, which means I can only use these attributes for Cloudflare Access rules but not for JIT provisioning in the SaaS app.

I’m also not getting the group membership out of the box when using SAML which is a bit inconvenient.

@MoreHelp

I have this same issue. SAML attributes are not passed through to the SaaS application, only the email adress