Setup AWS for Delegated Authentication with APIs

To enable delegated authentication with AWS APIs, you must create a SAML Provider and one or more Roles.

Create a SAML Provider

To create a SAML provider, follow these steps:

  1. Go to the AWS IAM Console. Click on Identity Providers in the left menu and then click Create Provider:

  1. Select SAML as the Provider Type and enter a name for your provider:

  1. Download your metadata document from https://YOUR_AUTH0_DOMAIN/samlp/metadata/YOUR_CLIENT_ID.

Click Choose File and browse to the metadata document you just downloaded. Click Next Step:

  1. Verify your provider information and click Create:

Create a Role

Now create a role with one or more associated policies. (You can create as many roles as required.)

  1. On the AWS IAM Console, click on Roles in the left menu and then click Create New Role:

  1. Provide a name for your new role and click Next Step:

  1. Select Role for Identity Provider Access. Then select Grant API access to SAML providers and click Next Step:

  1. Select or enter the following values:
  • SAML Provider: the provider you just created
  • Attribute: SAML:iss
  • Value: urn:YOUR_AUTH0_DOMAIN

and click Next Step:

  1. On the Verify Role Trust page, accept the Policy Document as provided. Click Next Step:

  1. At Attach Policy, either select a pre-defined policy to attach or define a custom policy as defined in the next section. Click Next Step

  2. Review the information and click Create Role:

Create a Custom Policy

In this example, you will create a policy that grants full access to the S3 resource: YOUR_BUCKET/${saml:sub}. This will be evaluated at run-time and replaced with the user_id of the logged-in user.

  1. On the Roles page, select the role you just created.

On the Permissions tab under Inline Policies, click the link to create an inline policy:

  1. Name your policy and enter the following code in the Policy Document field:
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
      "Resource": [
  1. Click Validate Policy to check your syntax, then click Apply Policy.

Copy the ARN values

  1. From the summary page of the role you just created, copy the Role ARN value. You will use this value later when calling the /delegation endpoint in Auth0.

  1. From the summary page of the identity provider you created previously, copy the Provider ARN value. You will use this value as the Principal ARN in the Rule you will build to be used in conjunction with the call to Auth0's /delegation endpoint.

For more information on supported AWS APIs, see: AWS Services That Work with IAM.