You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
step 1 - have a link that shows a user how to do this. (screenshot?)
step 3 - be specific => paste this into settings area on the Settings tab.
-> on the settings tab press "Save" (this is way off screen and not obvious)
f
step 4 - numbering restarts to 1? There is a lot to this that users may not get:
Configure Auth0 as the IdP for AWS. AWS will require importing the IdP Metadata. Scroll down on the same configuration screen on the Auth0 dashboard. Look for the Identity Provider Metadata link.
b. The metadata download is not so obvious and the instructions are no longer correct. You need to do the following in auth0
-> click on the "Usage" tab
-> Under the "identity provider Metadata" link, click on "download"
step 5 -Send AWS roles or write a Rule to map values to it, like this example:
I'm not sure what "Send AWS roles" means. The role needs to be injected into the SAML token, I don't think it will work otherwise. The only way I am aware of to get the roles into the token is as outlined. I suggest just say specify an AWS role with a rule as follows. Also have skipped the step of creating a role in AWS. The role has to be created in a specific way to allow its use to gain access to AWS. Here is the doc on AWS. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html The steps are:
from the IAM console, select create roles in the left menu, then select "create new role"
Enter a role name and click next
Select "Role for Identity Provider Access" and click next.
Select "Grant Web Single Sign-On (WebSSO) access to SAML providers"
Accept the Role Trust proposed. (This policy tells IAM to trust the Auth0 SAML IDP)
Choose an appropriate access policy for this role. This defines the permissions that the user being granted with this role will have within AWS. For example, to just let users read information in the console, select the ReadOnlyAccess policy.
Select "Create Role"
I suggest having a step (Step 5) to setup the role, and Step 6 is
Write a Rule to map the role to a user.
Point to our docs on rules.
The existing discussion about different options is good to keep.
There is a nice discussion that role is really the Amazon Resource Name (arn) of the role, followed
by the arn of the SAML provider. I screwed that up a while ago, and it's hard to figure out. I'd move this right above the rule code so users look at it first. It fails in non-obvious ways when you mess this up.
7. (There is not step 7 but needs to be one :). You are now setup for single signon to AWS. To use the single sign-on simply go the the sign-on on Auth0, and after signing in you will be redirected to AWS. You can see the url for signin by going to SAML2 add-on settings, and clicking on usage. You will see the Identity Provider Login URL defined. Go to that url, and you will be brought to the Auth0 login.
Delegation section
This is a good overview, but doesn't mention the add-on or refer to the more detailed setup we have. At the end put a brief description of the AWS add-on and point to https://auth0.com/docs/aws-api-setup for detailed instructions. Also for an example of how to define a server side rule for assigning a role and an advanced use case point to the Amazon API Gateaway tutorial (https://auth0.com/docs/integrations/aws-api-gateway)
Add at the start to turn on delegation for the application (Click the Addons tab, and enable Amazon Web Services.)
Screens have changed on AWS and flow has changed some. Need to update. Let me know if you need more help with this.
Numbering is off goes from 2 back to 1 on step 3.
Role interface in AWS has also changed. More steps and now can use pre-defined policies. Needs to be updated. Let me know if you need help with this.
Step 5 says Principal ARN but it is Provider ARN in the screen, which will be confusing. However we use principal in other areas. So I suggest we just say here copy the Provider ARN, and use this as the Principal ARN when obtaining the delegation token.
It'd be nice to then show the code for how to obtain the token at the end. Samples are both in the above page and in the api gateway tutorial.
https://auth0.com/docs/integrations/aws
SSO with dashboard
step 1 - have a link that shows a user how to do this. (screenshot?)
step 3 - be specific => paste this into settings area on the Settings tab.
-> on the settings tab press "Save" (this is way off screen and not obvious)
f
step 4 - numbering restarts to 1? There is a lot to this that users may not get:
Configure Auth0 as the IdP for AWS. AWS will require importing the IdP Metadata. Scroll down on the same configuration screen on the Auth0 dashboard. Look for the Identity Provider Metadata link.
a. First at least point to the AWS documentation on setting up STS for SAML. Docs are here: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
b. The metadata download is not so obvious and the instructions are no longer correct. You need to do the following in auth0
-> click on the "Usage" tab
-> Under the "identity provider Metadata" link, click on "download"
step 5 -Send AWS roles or write a Rule to map values to it, like this example:
I'm not sure what "Send AWS roles" means. The role needs to be injected into the SAML token, I don't think it will work otherwise. The only way I am aware of to get the roles into the token is as outlined. I suggest just say specify an AWS role with a rule as follows. Also have skipped the step of creating a role in AWS. The role has to be created in a specific way to allow its use to gain access to AWS. Here is the doc on AWS. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html The steps are:
Point to our docs on rules.
The existing discussion about different options is good to keep.
There is a nice discussion that role is really the Amazon Resource Name (arn) of the role, followed
by the arn of the SAML provider. I screwed that up a while ago, and it's hard to figure out. I'd move this right above the rule code so users look at it first. It fails in non-obvious ways when you mess this up.
7. (There is not step 7 but needs to be one :). You are now setup for single signon to AWS. To use the single sign-on simply go the the sign-on on Auth0, and after signing in you will be redirected to AWS. You can see the url for signin by going to SAML2 add-on settings, and clicking on usage. You will see the Identity Provider Login URL defined. Go to that url, and you will be brought to the Auth0 login.
Delegation section
This is a good overview, but doesn't mention the add-on or refer to the more detailed setup we have. At the end put a brief description of the AWS add-on and point to https://auth0.com/docs/aws-api-setup for detailed instructions. Also for an example of how to define a server side rule for assigning a role and an advanced use case point to the Amazon API Gateaway tutorial (https://auth0.com/docs/integrations/aws-api-gateway)
https://auth0.com/docs/aws-api-setup
The detail here is nice but needs to be updated.
Add at the start to turn on delegation for the application (Click the Addons tab, and enable Amazon Web Services.)
Screens have changed on AWS and flow has changed some. Need to update. Let me know if you need more help with this.
Numbering is off goes from 2 back to 1 on step 3.
Role interface in AWS has also changed. More steps and now can use pre-defined policies. Needs to be updated. Let me know if you need help with this.
Step 5 says Principal ARN but it is Provider ARN in the screen, which will be confusing. However we use principal in other areas. So I suggest we just say here copy the Provider ARN, and use this as the Principal ARN when obtaining the delegation token.
It'd be nice to then show the code for how to obtain the token at the end. Samples are both in the above page and in the api gateway tutorial.