Configuring Auth0 as an identity provider
Notes:
- This guide has been created with the assumption that users have a certain level of familiarity with SAML. Below are the steps for configuring SAML using Auth0 as an IdP (identity provider).
- To configure things on the Auth0 side, you need to have admin Auth0 permissions.
- To configure things on the Flex side, you need to have admin permissions in the Flex account to which you wish to link the IdP.
Obtain information from Flex
- Log into the Flex account to which you wish to link the IdP.
- Identify the UUID of this Flex account. This can be found on the corresponding Account Details page in Flex Enterprise.
Configuration steps (Auth0 side)
Log into your Auth0 account and click + Create Application.
In the Name field, enter a name for your application.
In the Choose an application type section, select Regular Web Applications.
Click Create.
Click the Settings tab. Scroll down to the Allowed Callback URLs section and add the SSO callback URL that you wish to use. This should be like https://{account}.{your-flex-deployment.com}/login/saml/SSO.
Click Save Changes.
At the top of the page, click the Addons tab.
Select SAML2 Web App. In the Settings tab, provide the Application Callback URL (same as in step 5, above) and set the JSON as follows:
{
"audience": "urn:dalet:flex:flex-login-app",
"signResponse": true,
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256"
}
Click Debug and test the JSON. If the JSON is valid, the SAML response will be displayed for the application you have specified.
Click Save.
Configure the externalUniqueUserId attribute mapping in order to identify external user uniquely in Flex. Follow the below step to configure the same:
1. Navigate to User Management > Users and look for an user to include externalUniqueUserId as metadata information as below:
{
"externalUniqueUserId": "<<username>>_id"
}
Replace <<username>>
with actual username of the user in IdP. It can be configured with any value.
2. Update SAML Attributes Mapping by navigating to Actions > Library > Custom > click on SAML Attributes Mapping.
3. Modify function to include externalUniqueUserId
attribute derivation as below:
api.samlResponse.setAttribute('externalUniqueUserId', event.user.user_metadata?.externalUniqueUserId);
The whole function would look like:
exports.onExecutePostLogin = async (event, api) => {
api.samlResponse.setAttribute('flexAccountUuid', event.client.metadata.flexAccountUuid);
api.samlResponse.setAttribute('firstName', event.user.nickname);
api.samlResponse.setAttribute('lastName', event.user.nickname);
api.samlResponse.setAttribute('groups', event.user.app_metadata?.authorization?.groups);
api.samlResponse.setAttribute('externalUniqueUserId', event.user.user_metadata?.externalUniqueUserId);
return;
};
4. Last step to include the externalUniqueUserId
attribute to any Flex integrated SAML application.
Once saved, the externalUniqueUserId attribute would also be included in SAML response.
In the Settings tab, scroll down and click Show Advanced Settings. Under the Application Metadata tab here, add the key flexAccountUuid, using the value of the Flex account UUID you identified earlier.
Still under Advanced Settings, click the Endpoints tab. Scroll down to the SAML Metadata URL field and copy the URL, or click on it and copy the metadata XML that's downloaded (recommended).
Configuration steps (Flex side)
Log into the Flex account to which you wish to link the IdP.
On the Account Details page, click the Metadata sub-tab and expand the External Authentication section.
Specify values for both the Default Role and Default Owner fields.
Expand the SAML Configuration section. Choose whether you wish to redirect to IdP login page automatically, and enter the IdP Display Name to be used on the login page (which will only be visible if IdP Redirect is set to No).
Optionally, Enable IdP to Flex Group membership sync. (For this to work correctly, Groups should be configured in Flex with names matching any relevant Groups configured in Okta.)
In the SAML Metadata Configuration section, provide either the static IdP metadata (recommended) or the URL from which the IdP metadata can be dynamically retrieved.
Click Save, to save the configuration.
Click Enable, to enable the account.
In another browser, or an incognito window, navigate to Flex. The login page should either redirect to your IdP, or provide an appropriately-titled button allowing you to log in through the IdP, depending on your configuration choices above.
Comments
0 comments
Please sign in to leave a comment.