Update Callback URL

In this exercise, you will make your IdP callback URL to reflect Amazon EMR master DNS. Depending on which IdP you configured, follow the corresponding steps to update the settings.

First, take a note for the value EMRMasterNodeDNS from the CloudFormation stack Lake-Formation-With-EMR output.

For Auth0

  1. Login into the Auth0 account and select AWS SSO Application and under Setting tab replace Allowed Callback URLs public-dns with EMR Master Node DNS.
  2. Scroll down to the bottom of the page and click on SAVE CHANGES.

For Okta

  1. Login into Okta account and select Lake-Formation application. Then go to General tab -> SAML Settings -> Configure SAML section. Edit the Single sign-on URL field by replacing public-dns with the Amazon EMR master node DNS.
  2. Scroll down to the bottom of the page and click on Next and then click on Finish on the Feedback tab.


  1. Login into Windows Server 2019 you connected in the previous chapter, Open PowerShell and execute the following commands after making the required changes. You can use a Text editor to make these changes.

    Here we are downloading Knox public certificate from S3 bucket (as part of EMR Step during EMR cluster creation we have extracted Knox public certificate and uploaded to your S3 bucket) and updating Relying Party Trust with Knox certificate, Claim Rules as well as SAML endpoint URL with Amazon EMR cluster's master DNS. You can download this script update-callback.bat here.

    Please make sure to replace account-id with your AWS AccountId and public-dns with EMR cluster’s Master Public DNS. You can find the value in CloudFormation stack output EMRMasterNodeDNS.

    Copy-S3Object -BucketName lf-workshop-account-id -Key metadata/knox.cer -LocalFile C:\\cfn\knox.cer
        $KnoxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
            $EP = New-AdfsSamlEndpoint -Binding "POST" -Protocol "SAMLAssertionConsumer" -Uri "https://public-dns:8442/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client“
            $RuleSetAll = New-AdfsClaimRuleSet -ClaimRule ('c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
            => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");','c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
            => issue(store = "Active Directory", types = ("https://aws.amazon.com/SAML/Attributes/RoleSessionName"), query = ";sAMAccountName;{0}", param = c.Value);','c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
            => issue(store = "Active Directory", types = ("https://lakeformation.amazon.com/SAML/Attributes/Username"), query = ";sAMAccountName;{0}", param = c.Value);','=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::account-id:role/LF-SAML-Role-ADFS,arn:aws:iam::account-id:saml-provider/ADFSSAMLProvider");')
              Set-AdfsRelyingPartyTrust -TargetIdentifier urn:amazon:webservices -RequestSigningCertificate $KnoxCert -SamlEndpoint $EP  -IssuanceTransformRules $RuleSetAll.ClaimRulesString