How to Set Up AWS for Delegated Authentication

This doc will walk you through setting up AWS for delegated authentication. You'll need to perform these steps any time you want to use Auth0 with AWS. Note that this tutorial does not walk you through a full integration. See the Configure SSO with the AWS Console or API Gateway tutorials for complete examples.

Step 1: Create a SAML Provider in AWS

Log in to AWS, and navigate to the IAM console. Using the left-hand navigation menu, select Identity Providers. Click Create Provider.

Set the following parameters:

Parameter Description and Sample Value
Provider Type The type of provider. Set as SAML
Provider Name A descriptive name for the provider, such as auth0SamlProvider
Metadata Document Upload the file containing the Auth0 metadata, found in Dashboard > Applications > Application Settings > Advanced Settings > Endpoints > SAML Metadata URL

Click Next Step. Verify your settings and click Create if everything is correct.

Step 2: Create a Role for Your SAML Provider

To use the provider, you must create an IAM role using the provider in the role's trust policy.

In the IAM console, navigate to Roles. Click Create role.

You'll be redirected to the Trust page. Indicate Saml 2.0 federation under Select type of trusted entity.

Provide the following values:

Parameter Value
SAML Provider The name for your new role
Attribute SAML:iss
Value urn:YOUR_AUTH0_DOMAIN

Click Next: Permissions to proceed.

You will need to attach permissions policies to your new role. You'll attach a custom policy. To create one, click Create Policy.

In the Create policy editor that launches, switch over to the JSON tab.

Provide a custom policy.

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
        "*"
      ],
      "Resource": [
      "arn:aws:s3:::YOUR_BUCKET/${saml:sub}",
      "arn:aws:s3:::YOUR_BUCKET/${saml:sub}/*"]
  }]
}

This defines the permissions that users granted this role will have with AWS. Click Review policy.

Review the policy that you've created. Be sure to provide a Name for your policy and (optionally) a Description.

Click Create policy when done.

If successful, you'll see the following message confirming the creation of your new policy.

Returning to the role creation wizard (you should be on step 2 - Permissions), find the new policy you just create and click its checkbox to attach the policy to your role. We recommend using the Customer managed filter to find your policy.

Click Next: Review to proceed.

Review the information about your role, provide a Role name and (optionally) a Role description. You'll see the policy you attached as well. If everything looks correct, click Create role to proceed.

Once created, you can find your roles located on the primary Roles page.

Copy the ARN Values

The following instructions will show you where you can find the Provider and Role ARN values.

Provider ARN

In the IAM console, navigate to Identity providers. Select the role in which you're interested to open up its summary page. Copy the Provider ARN value, which is listed first under Summary.

Role ARN

In the IAM console, navigate to Roles. Select the role in which you're interested to open up its summary page. Copy the Role ARN value, which is listed first under Summary.

Next Steps