Enable SAML

  1. Log in to the Auth0 account. Select Users & Roles on the left navigation menu and select Users and click on the CREATE USER button.
  2. Create a new user with email as emr-developer@somecompany.com and enter Password and click on the CREATE button. This is the user we will use to authenticate and authorize AWS Lake Formation tables and columns for fine-grain access.
  3. Create a new Application and enter "AWS SSO" for Name and Select Regular Web Application as the application type and click on Create Button
  4. After creating the application, On the Addons tab enable SAML2 WEB APP.
  5. Once the SAML2 WEB APP is enabled, in the pop-up window, copy and paste the following URL as the Application Callback URL.
    https://public-dns:8442/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
    And paste the following SAML configuration code into Settings. Scroll to the bottom and click Enable.
    {
        "audience":"urn:amazon:webservices",
        "mappings":{
            "email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
        },
        "createUpnClaim":false,
        "passthroughClaimsWithNoMapping":false,
        "mapUnknownClaimsAsIs":false,
        "mapIdentities":false,
        "nameIdentifierFormat":"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "nameIdentifierProbes":[
            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        ]
    }
  6. On the same UI, click on the Usage tab and Download Identity Provider Metadata. You will configure Auth0 as the Identity Provider (IdP) for AWS, which requires you to provide appropriate metadata to AWS. You can obtain a file containing this information by clicking the Identity Provider Metadata Download link. Keep this in your local computer, also you will upload this metadata file into an S3 bucket later.
  7. We will map AWS role The IAM Role for Lake Formation to an Auth0 user by creating a rule (these IAM Roles will be created as part of the CloudFormation Stack). To create a Rule, select Rules from the left navigation of your Auth0 Account, select Empty rule and enter following function definition and name the rule as "LF-Rule" and save the changes.

    Note: Replace the account-id with the AWS Account ID that you are using for this lab.

    function (user, context, callback) {
       user.awsRole = 'arn:aws:iam::account-id:role/LF-SAML-Role-Auth0,arn:aws:iam::account-id:saml-provider/auth0SAMLProvider';
       // the username must not contain "@" - as it is not a valid Linux username
       user.glueUser = user.name.replace(/@.*/, '');
    
       context.samlConfiguration.mappings = {
           'https://aws.amazon.com/SAML/Attributes/Role': 'awsRole',
           'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'glueUser',
           'https://lakeformation.amazon.com/SAML/Attributes/Username': 'glueUser'
       };
    
       callback(null, user, context);
    }
    
For more details, check out this page: AWS Integration in Auth0 . This page on the Auth0 documentation website describes how to set up single sign-on (SSO) with the AWS Management Console.