Wondering how to set up Auth0 as a SAML identity provider? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see steps followed by our Support Techs to setup Auth0.

How to set up Auth0 as a SAML identity provider?

Usually, Amazon Cognito user pools allow signing in through a third party, including through a SAML IdP such as Auth0.

A user pool integrated with Auth0 allows users in your Auth0 application to get user pool tokens from Amazon Cognito.

To set up Auth0 as SAML IdP, you need an Amazon Cognito user pool with an app client and domain name, and an Auth0 account with an Auth0 application on it.

Today, let us see the steps followed by our Support Techs to setup it.

Create an Amazon Cognito user pool with an app client and domain name

• Create a user pool
• Set up the hosted UI with the Amazon Cognito console
• Add a domain name for your user pool

Sign up for an Auth0 account

Enter your email address and a password on the Auth0 website Sign Up page to get started.

If you already have an account, then log in.

Create an Auth0 application

• Firstly, on the Auth0 website dashboard, choose Applications, and then choose Create Application.
• Then, in the Create Application dialog box, enter a name for your application.
• Under Choose an application type, choose Single Page Web Applications.
• Finally, choose Create.

Create a test user for your Auth0 application

• On the left navigation bar, choose User Management, and then choose Users.
• Choose + Create Your First User. Or, if this isn’t your first user, choose + Create User.
• In the Create user dialog box, enter an email and password for the user.
• Finally, Choose Save.

Configure SAML settings for your application

• Firstly on the left navigation bar, choose Applications.
• Then, choose the name of the application you created.
• On the Addons tab, turn on SAML2 Web App.
• In the Addon: SAML2 Web App dialog box, on the Settings tab, for Application Callback URL enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
  Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
• Then under Settings, do the following:
  For audience, delete the comment delimiter (//) and replace the default value (urn:foo) with urn:amazon:cognito:sp:yourUserPoolId.
  Note: Replace yourUserPoolId with your Amazon Cognito user pool ID. Find the ID in the Amazon Cognito console on the General settings tab of the management page for your user pool.
• For mappings and email, delete the comment delimiters (//). Do the same for any other attributes required by your Amazon Cognito user pool. For more information, see configuring user pool attributes.
• For nameIdentifierFormat, delete the comment delimiters (//). Replace the default value (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
• Choose Debug, then log in as the test user you created to confirm that the configuration works.
• Choose Enable, and then choose Save.

Get the IdP metadata for your Auth0 application

In the Addon: SAML2 Web App dialog box, on the Usage tab, find Identity Provider Metadata.

Then do either of the following:

Right-click download, and then copy the URL.
Choose download to download the .xml metadata file.

Configure Auth0 as SAML IdP in Amazon Cognito

For more information, see creating and managing a SAML identity provider for a user pool.

Follow the instructions under To configure a SAML 2.0 identity provider in your user pool.

When creating the SAML IdP, for Metadata document, either paste the Identity Provider Metadata URL or upload the .xml metadata file.

Map email address from IdP attribute to user pool attribute

For more information, see specifying identity provider attribute mappings for your user pool and follow the instructions under To specify a SAML provider attribute mapping.

When adding a SAML attribute, for SAML Attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

For User pool attribute, choose Email from the list.

Change app client settings in Amazon Cognito

• In the Amazon Cognito console management page for your user pool, under App integration, choose App client settings.
  Then do the following:
  Under Enabled identity providers, select the Auth0 and Cognito User Pool check boxes.
  For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://www.amazon.com.
  Then for Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://www.amazon.com.
  Then, under Allowed OAuth Flows, be sure to select at least the Implicit grant check box.
  Under Allowed OAuth Scopes, be sure to select at least the email and openid check boxes.
• Finally, choose Save changes.

Test the login endpoint

• Enter this URL in your web browser: https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/login?response_type=token&client_id=<yourClientId>&redirect_uri=<redirectUrl>
  Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
• Replace yourClientId with your app client’s ID, and replace redirectUrl with your app client’s callback URL.
• Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.
• Then, choose Auth0.
  Note: If you’re redirected to your app client’s callback URL, you’re already logged in to your Auth0 account in your browser.
• The user pool tokens appear in the URL in your web browser’s address bar.
• On the login page for your Auth0 application, enter the email and password for the test user you created.
• Finally, choose Log in.

After you log in, you’re redirected to your app client’s callback URL. The user pool tokens appear in the URL in your web browser’s address bar.

[Need help with the procedure? We’d be glad to assist you]

Conclusion

In short, we saw how our Support Techs set up Auth0 as a SAML identity provider.