Configure Amazon Web Services for Delegated Authentication

You can configure Amazon Web Services (AWS) for delegated authentication with Auth0. To learn more, Configure Amazon Web Services for Single Sign-on and Secure AWS API Gateway Endpoints Using Custom Authorizers.

Create a SAML provider in AWS

  1. Log in to AWS, and go to the IAM console. Using the left-hand navigation menu, select Identity Providers. Click Create Provider. Set the following parameters:

    Parameter Description and Sample Value
    Provider Type The type of provider. Set as SAML
    Provider Name A descriptive name for the provider, such as auth0SamlProvider
    Metadata Document Upload the file containing the Auth0 metadata, found in Dashboard > Applications > Application Settings > Advanced Settings > Endpoints > SAML Metadata URL

  2. Click Next Step.

  3. Verify your settings and click Create if everything is correct.

Create a role for your SAML provider

To use the provider, you must create an IAM role using the provider in the role's trust policy.

  1. In the IAM console, go to Roles. Click Create role. You'll be redirected to the Trust page. Indicate Saml 2.0 federation under Select type of trusted entity. Provide the following values:

    Parameter Value
    SAML Provider The name for your new role
    Attribute SAML:iss
    Value urn:{yourDomain}

  2. Click Next: Permissions to proceed.

  3. You will need to attach permissions policies to your new role. You'll attach a custom policy. To create one, click Create Policy.

  4. In the Create policy editor that launches, switch over to the JSON tab. Provide a custom policy.

    {
      "Version": "2012-10-17",
      "Statement": [{
          "Effect": "Allow",
          "Action": [
            "*"
          ],
          "Resource": [
          "arn:aws:s3:::{yourBucket}/<%= '${saml:sub}' %>",
          "arn:aws:s3:::{yourBucket}/<%= '${saml:sub}' %>/*"]
      }]
    }

    Was this helpful?

    /
    This defines the permissions that users granted this role will have with AWS. Click Review policy.

  5. Review the policy that you've created. Be sure to provide a Name for your policy and (optionally) a Description.

  6. Click Create policy when done. If successful, you'll see the following message confirming the creation of your new policy: "auth0SamlRolePolicy has been created".

  7. Returning to the role creation wizard (you should be on step 2 - Permissions), find the new policy you just create and click its checkbox to attach the policy to your role. We recommend using the Customer managed filter to find your policy.

  8. Click Next: Review to proceed.

  9. Review the information about your role, provide a Role name, and optionally a Role description. You'll see the policy you attached as well. If everything looks correct, click Create role to proceed.

  10. Once created, you can find your roles located on the primary Roles page.

Copy the ARN Values

The following instructions will show you where you can find the Provider and Role ARN values.

Provider ARN

In the IAM console, go to Identity providers. Select the role in which you're interested to open up its summary page. Copy the Provider ARN value, which is listed first under Summary.

Role ARN

In the IAM console, go to Roles. Select the role in which you're interested to open up its summary page. Copy the Role ARN value, which is listed first under Summary.