content/operate/rc/security/access-control/saml-sso/saml-integration-auth0.md
This guide shows how to configure Auth0 as a SAML single sign-on identity provider (IdP) for your Redis Cloud account.
To learn more about Redis Cloud support for SAML, see [SAML single sign-on]({{< relref "/operate/rc/security/access-control/saml-sso" >}}).
Before completing this guide, you must [verify ownership of any domains]({{< relref "/operate/rc/security/access-control/saml-sso#verify-domain" >}}) you want to associate with your SAML setup.
Sign in to your Auth0 account and navigate to User Management > Users.
SAML assertion requires first and last name, which are not available in the default user profile.
{{<note>}} Depending how they are created, users can have different profiles. {{</note>}}
{{<image filename="images/rc/saml/auth0_saml_1.png" >}}
Add user_metadata to fulfill the SAML assertion, then select Save.
{{<image filename="images/rc/saml/auth0_saml_2.png" >}}
The key-value pair of redisAccountMapping consists of a lowercase role name (owner, member, manager, billing_admin, or viewer) and your Redis Cloud Account ID found in the [account settings]({{< relref "/operate/rc/accounts/account-settings" >}}).
{
"FirstName": "Test",
"LastName": "User",
"redisAccountMapping": "YOUR_REDIS_CLOUD_ID=owner"
}
Open Actions > Triggers and select post-login.
{{<image filename="images/rc/saml/auth0_saml_3.png" >}}
Select Create Action to create a new custom action.
{{<image filename="images/rc/saml/auth0_saml_add-action.png" >}}
Provide a name for the action and select Create.
{{<image filename="images/rc/saml/auth0_saml_create-action.png" >}}
Add the following code to the action:
exports.onExecutePostLogin = async (event, api) => {
const um = event.user.user_metadata || {};
const am = event.user.app_metadata || {};
api.samlResponse.setAttribute('email', event.user.email);
api.samlResponse.setAttribute(
'firstName',
um.FirstName || ''
);
api.samlResponse.setAttribute(
'lastName',
um.LastName || ''
);
const mapping = am.redisAccountMapping || um.redisAccountMapping;
if (mapping) {
api.samlResponse.setAttribute('redisAccountMapping', mapping);
} else {
api.access.deny('missing_redis_account_mapping', 'redisAccountMapping not set for user');
}
};
Select Deploy to save and deploy the action.
{{<image filename="images/rc/saml/auth0_saml_4.png" >}}
Return to the post-login trigger and drag the action you just created to the trigger.
{{<image filename="images/rc/saml/auth0_saml_action-trigger.png" >}}
Select Apply to save your changes.
Open Applications > Applications and select Create Application.
{{<image filename="images/rc/saml/auth0_saml_5.png" >}}
Provide a name for the Application and select Single Page Web Applications. Select Create.
{{<image filename="images/rc/saml/auth0_saml_6.png" >}}
From the newly created application, go to Settings > Advanced Settings > Certificates.
{{<image filename="images/rc/saml/auth0_saml_7.png" >}}
From the newly created application, go to Addons and enable SAML 2 WEB APP.
{{<image filename="images/rc/saml/auth0_saml_8.png" >}}
From the Usage tab:
You will need both of these values, along with the certificate value you copied in the previous step, to configure SAML in the Redis Cloud console.
{{<image filename="images/rc/saml/auth0_saml_9.png" >}}
Now that you have you Auth0 IdP server ready, configure support for SAML in Redis Cloud.
Sign in to your account on the Redis Cloud console.
To activate SAML, you need to have a local user (or social sign-on user) with the owner role. If you have the correct permissions, you will see the Single Sign-On tab.
Fill in the information you saved previously in the setup form. This includes:
{{<image filename="images/rc/saml/sm_saml_1.png" >}}
Once you click Enable, wait a few seconds for the status to change.
Download the service provider (SP) metadata. Save the file to your local hard disk.
{{<image filename="images/rc/saml/sm_saml_3.png" >}}
Open the file in any text editor. Save the following text from the metadata:
{{<image filename="images/rc/saml/sm_saml_4.png" >}}
{{<image filename="images/rc/saml/sm_saml_5.png" >}}
Return to the Auth0 SAML application and select Addons > SAML 2 Web App > Settings:
{{<image filename="images/rc/saml/auth0_saml_10.png" >}}
Paste the Location link in Application Callback URL field.
Enter the following code in the Settings code area. Modify the audience variable with the EntityID value, and the recipient variable with the Location value from the metadata file you downloaded.
{
"audience": "<EntityID>",
"recipient": "<Location>",
"passthroughClaimsWithNoMapping": false,
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
Scroll down and select Enable to apply the configuration.
To use IdP-initiated SSO with certain identity providers, you also need to set the RelayState parameter to this URL:
https://cloud.redis.io/#/login/?idpId=<ID>
{{< note >}}
Replace ID so it matches the AssertionConsumerService Location URL ID (the content after the last forward slash "/"). To learn more about how to configure service provider apps, see your identity provider’s documentation.
{{</ note >}}
Return to the Redis Cloud console and select Activate.
{{<image filename="images/rc/saml/sm_saml_8.png" >}}
A popup appears, explaining that, in order to test the SAML connection, we need to login with credentials of a user defined in Auth0. Select Continue to go to the Auth0 login screen.
The Auth0 login screen appears. Enter the credentials and select Sign In.
{{<image filename="images/rc/saml/auth0_saml_12.png" >}}
If everything is configured correctly, you will see the the Redis Cloud console screen. Your local account is now considered a SAML account.
To log in to the Redis Cloud console from now on, click on Sign in with SSO.
{{<image filename="images/rc/button-sign-in-sso.png" width="50px" alt="Sign in with SSO button">}}