SSO: Configuring Auth0 as your identity provider
SSO: Configuring Auth0 as your identity provider
You can configure Auth0 as the single sign-on (SSO) identity provider (IdP) of your digital workplace. To do this, you must have the ability to create an application within Auth0 and also be able to access the Sign In Settings page of your digital workplace.
Note: When testing your configuration, make sure that the account you are trying to sign in with is in both your IdP and digital workplace.
How to configure Auth0 as your identity provider
Follow these steps to configure Auth0 as the SSO IdP of your digital workplace.
Part A: Configure settings in Auth0
- From your Auth0 dashboard, select the Applications option from the navigation menu.
- While on the Applications page, click the "+ Create Application" button.
- In the provided "Create Application" window, enter a name for this new application, select Native as the application type, and then click the Create button.
- Go to the Addons tab of your application. You can get to this page by going to your applications page (accessed from the sidebar navigation menu) and clicking the "Addons" button (</>) located in the row next to the application you created.
- While on the Addons page, click the "SAML2 WEB APP" button.
- In the provided SAML2 Web App window, enter the Application Callback URL of your digital workplace, and then click the Enable button. Your Application Callback URL (Igloo SAML endpoint) is your digital workplace URL followed by /saml.digest. For example, https://yourdigitalworkplace.com/saml.digest.
- Go to the Rules page. You can find a link to this page on the sidebar navigation menu.
- While on the Rules page, click the "+ Create Rule" button.
- Find and select the "Remove attribute from a user" rule.
- Replace the default script of the "Remove attribute from a user" rule with:
function (user, context, callback) { const blacklist = [ 'picture', 'user_id' ]; Object.keys(user).forEach(function(key) { if (blacklist.indexOf(key) > -1) { delete user[key]; } }); callback(null, user, context); } - Save this rule change.
- Go to the Rules page. You can find a link to this page on the sidebar navigation menu.
- While on the Rules page, click the "+ Create Rule" button.
- Find and select the "SAML Attributes mapping" rule.
- Replace the default script of the "SAML Attributes mapping" rule with:
function (user, context, callback) { context.samlConfiguration.mappings = { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "user_metadata.given_name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "app_metadata.family_name" }; callback(null, user, context); } - Save this rule change.
- Go to the Settings tab of your application. You can get to this page by going to your applications page (accessed from the sidebar navigation menu) and clicking the "Settings" button (cog icon) located in the row next to the application you created.
- Scroll to the bottom of the Settings tab and click "Show Advanced Settings."
- Go to the Certificate tab of Advanced Settings and click Download Certificate (as a PEM file). You need the text in this certificate in Part B.4.
- Go to the Endpoints tab of Advanced Settings and copy the SAML Protocol URL to use later in Part B.4.
Part B: Configure settings in your digital workplace
- Log into your digital workplace.
- Click the cog on the Userbar and select Sign In Settings from the Membership section of the Control Panel.
- On the Sign in Settings page, click the Configure SAML Authentication link. If you do not have this link, please contact Igloo Support.
- Configure the General Configuration fields:
- Connection Name: Enter a descriptive name for this connection.
- IdP Login URL: Enter the URL that you copied in Part A.20.
- IdP Logout URL: Enter the domain of the URL that you copied in Part A.20 appended by /logout. For example, https://dev-80ve8rc0.auth0.com/logout.
- Logout Response and Request HTTP Type: Select Basic.
- Logout Final Redirect URL: Enter the URL of a logout destination page, or leave blank.
- Binding Type: Select Post.
- Public Certificate: Paste in the certificate that you downloaded in Part A.19.
- Configure the Response and Authentication Configuration fields:
- Identify Provider: Select Other.
- Identifier Type: Select Email Address.
- Identifier Path: Enter the value:
/samlp:Response/saml:Assertion/saml:Subject/saml:NameID
- Session Index Path: Enter the value:
/samlp:Response/saml:Assertion/saml:AuthnStatement
- Email Path: Enter the value:
- /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue.
- /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue.
- First Name Path: Enter the value:
- /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="FName"]/saml:AttributeValue.
- Last Name Path: Enter the value:
- /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="LName"]/saml:AttributeValue
- Drift Time (In Seconds): Leave this field as the default value of 5.
- For the User creation on Sign in, select how to handle the account creation of users who authenticate but do not have an existing account.If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.
- For the User creation on Sign in Settings, select how members navigate to the SSO sign-in page.
- "Use the SAML button on Sign-in screen" adds an SSO sign-in button to the Igloo Authentication page, while
- "Redirect all users to IdP" redirects members to your SSO's sign-in page if they attempt to access the workplace without an existing session.
- Click the Save button to apply these settings.
Viewed 2,181 times