Auth0 SAML integration guide

This integration guide shows how to configure Auth0 as a SAML single sign on provider for your Redis Cloud account.

Redis Cloud

This guide shows how to configure Auth0 as a SAML single sign-on identity provider (IdP) for your Redis Cloud account.

To learn more about Redis Cloud support for SAML, see SAML single sign-on.

Before completing this guide, you must verify ownership of any domains you want to associate with your SAML setup.

Step 1: Set up your identity provider (IdP)

Specify the SAML owner

  1. Sign in to your Auth0 account and navigate to User Management > Users.

    • Select the SAML owner.
    • Verify the details.

    SAML assertion requires first and last name, which are not available in the default user profile.

    Note:
    Depending how they are created, users can have different profiles.

  2. Add user_metadata to fulfill the SAML assertion, then select Save.

    The key-value pair of redisAccountMapping consists of a lowercase role name (owner, member, manager, billing_admin, or viewer) and your Redis Cloud Account ID found in the account settings.

    {
   "FirstName": "Test",
   "LastName": "User",
   "redisAccountMapping": "YOUR_REDIS_CLOUD_ID=owner"
}

  3. Open Actions > Triggers and select post-login.

  4. Select Create Action to create a new custom action.

  5. Provide a name for the action and select Create.

  6. Add the following code to the action:

    exports.onExecutePostLogin = async (event, api) => {
    const um = event.user.user_metadata || {};
    const am = event.user.app_metadata || {};
    api.samlResponse.setAttribute('email', event.user.email);
    api.samlResponse.setAttribute(
        'firstName',
        um.FirstName || ''
    );
    api.samlResponse.setAttribute(
        'lastName',
        um.LastName || ''
    );
    const mapping = am.redisAccountMapping || um.redisAccountMapping;
    if (mapping) {
        api.samlResponse.setAttribute('redisAccountMapping', mapping);
    } else {
        api.access.deny('missing_redis_account_mapping', 'redisAccountMapping not set for user');
    }
};

  7. Select Deploy to save and deploy the action.

  8. Return to the post-login trigger and drag the action you just created to the trigger.

    Select Apply to save your changes.

Create and configure the SAML application

  1. Open Applications > Applications and select Create Application.

  2. Provide a name for the Application and select Single Page Web Applications. Select Create.

  3. From the newly created application, go to Settings > Advanced Settings > Certificates.

    • Copy and save the Signing Certificate. You will need this information to configure SAML in admin console.
    • We suggest that you update the default logo of the application to the Redis icon for better visibility.

  4. From the newly created application, go to Addons and enable SAML 2 WEB APP.

  5. From the Usage tab:

    • Copy and save the Issuer value.
    • Copy and save the Identity Provider Login URL.

    You will need both of these values, along with the certificate value you copied in the previous step, to configure SAML in the Redis Cloud console.

Step 2: Configure SAML support in Redis Cloud

Now that you have you Auth0 IdP server ready, configure support for SAML in Redis Cloud.

Sign in to Redis Cloud

Sign in to your account on the Redis Cloud console.

Activate SAML in Access Management

To activate SAML, you need to have a local user (or social sign-on user) with the owner role. If you have the correct permissions, you will see the Single Sign-On tab.

  1. Fill in the information you saved previously in the setup form. This includes:

    • Issuer (IdP Entity ID): Issuer value from Auth0
    • IdP server URL: Identity Provider Login URL from Auth0
    • Assertion signing certificate: Certificate value from Auth0

    Once you click Enable, wait a few seconds for the status to change.

  2. Download the service provider (SP) metadata. Save the file to your local hard disk.

  3. Open the file in any text editor. Save the following text from the metadata:

    • EntityID: The unique name of the service provider (SP)
    • Location : The location of the assertion consumer service

Step 3: Finish SAML configuration in Auth0

  1. Return to the Auth0 SAML application and select Addons > SAML 2 Web App > Settings:

    • Paste the Location link in Application Callback URL field.

    • Enter the following code in the Settings code area. Modify the audience variable with the EntityID value, and the recipient variable with the Location value from the metadata file you downloaded.

    {
  "audience": "<EntityID>",
  "recipient": "<Location>",
  "passthroughClaimsWithNoMapping": false,
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

    Scroll down and select Enable to apply the configuration.

IdP initiated SSO

To use IdP-initiated SSO with certain identity providers, you also need to set the RelayState parameter to this URL:

https://cloud.redis.io/#/login/?idpId=<ID>

Note:
Replace ID so it matches the AssertionConsumerService Location URL ID (the content after the last forward slash "/"). To learn more about how to configure service provider apps, see your identity provider’s documentation.

Step 4: Return to the Redis Cloud console

  1. Return to the Redis Cloud console and select Activate.

    A popup appears, explaining that, in order to test the SAML connection, we need to login with credentials of a user defined in Auth0. Select Continue to go to the Auth0 login screen.

  2. The Auth0 login screen appears. Enter the credentials and select Sign In.

If everything is configured correctly, you will see the the Redis Cloud console screen. Your local account is now considered a SAML account.

To log in to the Redis Cloud console from now on, click on Sign in with SSO.

Sign in with SSO button
RATE THIS PAGE
Back to top ↑