How to Set Up AWS for Delegated Authentication

The doc will walk you through setting up AWS for delegated authentication. You'll need to perform these steps any time you want to use Auth0 with AWS. Note that this tutorial does not walk you through a full integration. See the Enable SSO to the AWS Console or API Gateway tutorials for complete examples.

Step 1: Create a SAML Provider in AWS

Log in to AWS, and navigate to the IAM console. Using the left-hand navigation menu, select Identity Providers. Click Create Provider.

Set the following parameters:

Parameter Description and Sample Value
Provider Type The type of provider. Set as SAML
Provider Name A descriptive name for the provider, such as auth0SamlProvider
Metadata Document Upload the file containing the Auth0 metadata, found in Dashboard > Clients > client Settings > Advanced Settings > Endpoints > SAML Metadata URL

Click Next Step. Verify your settings and click Create if everything is correct.

Step 2: Create a Role for Your SAML Provider

To use the provider, you must create an IAM role using the provider in the role's trust policy.

In the IAM console, navigate to Roles. Click Create New Role.

On the Select role type page, select Role for identity provider access.

Click Select for the Grant Web Single Sign-On (WebSSO) access to SAML providers option. Set the following values:

Parameter Value
SAML Provider Select the provider you created in the previous step
Attribute SAML:iss
Value urn:YOUR_AUTH0_DOMAIN

Click Next Step to proceed.

On the Verify Role Trust page, accept the Policy Document as provided and click Next Step.

When asked to Attach Policy, either select a pre-defined policy or define a custom policy. These define the permissions that users granted this role will have with AWS. Click Next Step

Finally, set the role name and review your settings. Provide values for the following parameters:

Parameter Definition
Role name A descriptive name for your role
Role description A description of what your role is used for

Review the Trusted entities and Policies information, then click Create Role.

At this point, you'll have created the necessary role to associate with your provider.

Create a Custom Policy

In this example, you will create a policy that grants full access to the S3 resource YOUR_BUCKET/${saml:sub}. AWS evaluates this policy at run-time and replaces the placeholder with the user_id of the user that's logged in.

In the IAM console, navigate to Roles. Select the role you just created to open up it's summary page.

On the Permissions tab click the carrot to expand the Inline Policies area.

Click the provided link to create an inline policy.

You'll be creating a Custom Policy. Provide a Policy Name and populate the Policy Document field with the following:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
        "*"
      ],
      "Resource": [
      "arn:aws:s3:::YOUR_BUCKET/${saml:sub}",
      "arn:aws:s3:::YOUR_BUCKET/${saml:sub}/*"]
  }]
}

Click Validate Policy to check your syntax.

Click Apply Policy to proceed.

Copy the ARN Values

The following instructions will show you where you can find the Provider and Role ARN values.

Provider ARN

In the IAM console, navigate to Identity providers. Select the role in which you're interested to open up its summary page. Copy the Provider ARN value, which is listed first under Summary.

Role ARN

In the IAM console, navigate to Roles. Select the role in which you're interested to open up its summary page. Copy the Role ARN value, which is listed first under Summary.

Next Steps