Updates to AWS integration pages.

[chriskeyser]

https://auth0.com/docs/integrations/aws

SSO with dashboard

• [x] step 1 - have a link that shows a user how to do this. (screenshot?)
• [x] step 3 - be specific => paste this into settings area on the Settings tab. -> on the settings tab press "Save" (this is way off screen and not obvious) f
• [x] step 4 - numbering restarts to 1? There is a lot to this that users may not get: Configure Auth0 as the IdP for AWS. AWS will require importing the IdP Metadata. Scroll down on the same configuration screen on the Auth0 dashboard. Look for the Identity Provider Metadata link.
• [x] a. First at least point to the AWS documentation on setting up STS for SAML. Docs are here: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
• [x] b. The metadata download is not so obvious and the instructions are no longer correct. You need to do the following in auth0 -> click on the "Usage" tab -> Under the "identity provider Metadata" link, click on "download"
• [x] step 5 -Send AWS roles or write a Rule to map values to it, like this example: I'm not sure what "Send AWS roles" means. The role needs to be injected into the SAML token, I don't think it will work otherwise. The only way I am aware of to get the roles into the token is as outlined. I suggest just say specify an AWS role with a rule as follows. Also have skipped the step of creating a role in AWS. The role has to be created in a specific way to allow its use to gain access to AWS. Here is the doc on AWS. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html The steps are:
  1. from the IAM console, select create roles in the left menu, then select "create new role"
  2. Enter a role name and click next
  3. Select "Role for Identity Provider Access" and click next.
  4. Select "Grant Web Single Sign-On (WebSSO) access to SAML providers"
  5. Accept the defaults for the next screen (SAML:aud value of https://signin.aws.amazon.com/saml)
  6. Accept the Role Trust proposed. (This policy tells IAM to trust the Auth0 SAML IDP)
  7. Choose an appropriate access policy for this role. This defines the permissions that the user being granted with this role will have within AWS. For example, to just let users read information in the console, select the ReadOnlyAccess policy.
  8. Select "Create Role"
     • [x] I suggest having a step (Step 5) to setup the role, and Step 6 is
     • Write a Rule to map the role to a user. Point to our docs on rules. The existing discussion about different options is good to keep.
• [x] There is a nice discussion that role is really the Amazon Resource Name (arn) of the role, followed by the arn of the SAML provider. I screwed that up a while ago, and it's hard to figure out. I'd move this right above the rule code so users look at it first. It fails in non-obvious ways when you mess this up.

• [x] 7. (There is not step 7 but needs to be one :). You are now setup for single signon to AWS. To use the single sign-on simply go the the sign-on on Auth0, and after signing in you will be redirected to AWS. You can see the url for signin by going to SAML2 add-on settings, and clicking on usage. You will see the Identity Provider Login URL defined. Go to that url, and you will be brought to the Auth0 login.

  Delegation section

• [x] This is a good overview, but doesn't mention the add-on or refer to the more detailed setup we have. At the end put a brief description of the AWS add-on and point to https://auth0.com/docs/aws-api-setup for detailed instructions. Also for an example of how to define a server side rule for assigning a role and an advanced use case point to the Amazon API Gateaway tutorial (https://auth0.com/docs/integrations/aws-api-gateway)

  https://auth0.com/docs/aws-api-setup The detail here is nice but needs to be updated.

• [x] Add at the start to turn on delegation for the application (Click the Addons tab, and enable Amazon Web Services.)
• [x] Screens have changed on AWS and flow has changed some. Need to update. Let me know if you need more help with this.
• [x] Numbering is off goes from 2 back to 1 on step 3.
• [x] Role interface in AWS has also changed. More steps and now can use pre-defined policies. Needs to be updated. Let me know if you need help with this.
• [x] Step 5 says Principal ARN but it is Provider ARN in the screen, which will be confusing. However we use principal in other areas. So I suggest we just say here copy the Provider ARN, and use this as the Principal ARN when obtaining the delegation token.
• [x] It'd be nice to then show the code for how to obtain the token at the end. Samples are both in the above page and in the api gateway tutorial.

[Catografix]

for " Add at the start to turn on delegation for the application (Click the Addons tab, and enable Amazon Web Services.)" - is that in addition to SAML2 or in place of?

[ntotten]

@chriskeyser Can you take this from here? We need to move on to other docs and this is taking up a lot of time.

[mpaktiti]

@chriskeyser @ntotten Hi, is this still pending? Should I create trello cards for the non-checked items of this list?

[chriskeyser]

To be honest we should probably do a pass on AWS if we haven't recently. In a year something has changed.

On Thu, Aug 18, 2016 at 7:54 PM, Maria Paktiti notifications@github.com wrote:

@chriskeyser https://github.com/chriskeyser @ntotten https://github.com/ntotten Hi, is this still pending? Should I create trello cards for the non-checked items of this list?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/auth0/docs/issues/422#issuecomment-240891622, or mute the thread https://github.com/notifications/unsubscribe-auth/ABsH9GTzKGwt-GVi7tze61wOuobqisyUks5qhPDTgaJpZM4GD9Wh .

[mpaktiti]

Thanks @chriskeyser , I'll check with our QA team and make sure they do, if they haven't done this already.

[mpaktiti]

The issue was assigned to TechAid (AUTH-3321) so they can test if the docs are up-to-date and valid or updates are needed.

[jotadepicas]

Hi everyone, I've been following this article con AWS delegation: https://auth0.com/docs/integrations/aws, and at the bottom of the page there's a code example on how to do it using auth0.js.

In that example, both principal, and role parameters are passed on the options object, but since a security fix addressed here: https://auth0.com/forum/t/aws-delegation-fails-missing-principal/2766/4, that does not work anymore. Now you have to set them through a rule.

Although this is mentioned somewhere in the middle of the article, I would change this example to make more evident that this code does not work out of the box, and that the rules approach is mandatory whether you are using auth0.js or not.