0

I am trying to configure “AWS SSO”'s to work with Auth0 as an External Identity Provider. I have made is to the point where I am getting the auth0 login as success but AWS throws me an error.

error I get after logging in via auth0: error I get after logging in via auth0

Steps I have taken

Goto Auth0 Application > Addon > SAML2 Web App Application Callback URL : {{ AWS SSO ACS URL}} Settings

{
    "audience": "{{ AWS SSO Sign-in URL}}",
    "destination": "{{ AWS SSO issuer URL}}",
    "mappings": {
        "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
        "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    },
    "signResponse": false,
    "createUpnClaim": false,
    "passthroughClaimsWithNoMapping": false,
    "mapUnknownClaimsAsIs": false,
    "mapIdentities": true,
    "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "nameIdentifierProbes": [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    ]
}

Saml response : https://gist.github.com/Rohithzr/9bf1bc854e8a3ad79e68e1d41fbc7154 Can anyone help me as I am not really getting any logs to debug from AWS

Rohit Hazra
  • 153
  • 1
  • 7

1 Answers1

0

Good news, I think I just figured this out!

I followed a different guide to configure Okta with AWS SSO and then compared some of the differences between that and the Auth0 guide. I made three changes and got this working with Auth0 + AWS SSO.

{
  "audience": "{{AWS SSO issuer URL}}",
  "destination": "{{AWS SSO ACS URL}}",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  },
  "createUpnClaim": true,
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

The three key changes were:

  1. the audience should be the AWS SSO issuer URL, not the sign-in URL
  2. the destination should be the AWS SSO ACS URL, not the issuer URL
  3. the nameIdentifierFormat should be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (this is the same value you have... I'm only calling it out because the Auth0 AWS SSO guide says urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, which doesn't seem to work; sharing in case others read this post).
Mathew Werber
  • 1
  • 1