How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool?

Short description

You must have a Cognito user pool with an app client, domain name, and an Auth0 account with an Auth0 application on it. For more information, see User pool sign-in with third party identity providers and Using SAML identity providers with a user pool.

Resolution

Create a Cognito user pool with an app client and domain name

For information, see the following AWS Documentation:

• Add more features and security options to your user pool
  Note: When you create a user pool, the standard attribute email is selected by default. For more information, see Working with user attributes.
• User pool managed login
  Note: An app client secret is an optional configuration.
• Configuring a user pool domain

Sign up for an Auth0 account

If you don't already have an Auth0 account, then sign up for one on the Auth0 Sign Up website.

Create an Auth0 application

Complete the following steps:

1. On the Auth0 Dashboard, choose Applications, and then choose Create Application.
2. In the Create Application box, enter a name for your application, for example My App.
3. Under Choose an application type, choose Single Page Web Applications.
4. Choose Create.

Create a test user for your Auth0 application

Complete the following steps:

1. In the navigation pane of the Auth0 Dashboard, choose User Management, and then choose Users.
2. Choose Create Your First User or Create User.
3. In the Create user box, enter an email and password for the test user.
4. Choose Save.

Configure SAML settings for your application

Complete the following steps:

1. In the navigation pane of the Auth0 Dashboard, choose Applications.
2. Choose the name of the application that you created.
3. On the Addons tab, turn on SAML2 Web App.
4. In the Addon: SAML2 Web App box, on the Settings tab, for Application Callback URL enter: https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
   Note: Replace yourDomainPrefix and region with your domain prefix and AWS Region for your user pool. You can find them on the Domain name tab of the Management page for your user pool. Or, enter a custom domain callback URL that's similar to https//yourCustomDomain/saml2/idpresponse.
5. Under Settings, for audience, delete the comment delimiter (//) and replace the default value urn:foo with urn:amazon:cognito:sp:yourUserPoolId.
   Note: Replace yourUserPoolId with your Cognito user pool ID. You can find the ID on the General settings tab of the Management page for your user pool.
6. For mappings and email, delete the comment delimiters (//). Delete any other user attributes that your user pool requires.
7. For nameIdenetifierFormat, delete the comment delimiters (//). Replace the default value urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
8. (Optional) Choose Debug. To confirm that the configuration works, log in as the test user.
9. Choose Enable, and then choose Save.

Get the IdP metadata for your Auth0 application

In the Addon: SAML2 Web App box, on the Usage tab, find Identity Provider Metadata. Choose download, and then note the URL. Or, choose download to download the .xml metadata file.

Configure Auth0 as SAML IdP in Cognito

When you create the SAML IdP, for Metadata document, either enter the Identity Provider Metadata URL or upload the .xml metadata file.

For more information, see Adding and managing SAML identity providers in a user pool.

Map email address from IdP attribute to user pool attribute

For SAML Attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. For User pool attribute, choose Email.

For more information, see Mapping IdP attributes to profiles and tokens.

Change app client settings in Cognito

Complete the following steps:

1. Open the Cognito console.
2. Select your user pool.
3. On the Management page for your user pool, under Applications, choose Select your desired app client.
4. Under Login Pages, edit your managed login pages configuration.
5. Under Identity providers, select Auth0 and Cognito User Pool.
6. For Allowed Callback URL(s), enter the URL where you want your users to be redirected after you log in. To test authentication, you can enter any valid URL, such as https://www.amazon.com.
7. For Allowed Sign-out URL(s), enter the URL where you want your users to be redirected after you log out. To test authentication, you can enter any valid URL, such as https://www.amazon.com.
8. Under Allowed OAuth Flows, select at least Implicit grant.
9. Under Allowed OAuth Scopes, select at least email and openid.
10. Choose Save changes.

For more information, see App client terms.

Test the login endpoint

Complete the following steps:

1. Enter the https://.auth..amazoncognito.com/login?response_type=token&client_id=&redirect_uri= URL in your web browser.
2. Replace yourDomainPrefix and region with the values for your user pool. You can find them on the Domain name tab under Branding of the Management page for your user pool.
3. Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. You can find them on the App client settings tab under Application of the Management page for your user pool. For more information, see The managed login sign-in endpoint: /login.
4. Choose Auth0.
   Note: If you're redirected to your app client's callback URL, then you're already logged in to your Auth0 account in your browser.
5. On the login page for your Auth0 application, enter the email and password for the test user.
6. Choose Log in.

After you log in, you're redirected to your app client's callback URL. The user pool tokens appear in the URL in your web browser's address bar.

Related information

Understanding user pool JSON web tokens (JWTs)

Configuring your third-party SAML identity provider

How do I set up a third-party SAML identity provider with an Amazon Cognito user pool?