Identity Provider: Auth0
Prerequisites
1. Appropriate roles/permissions in Auth0 can create applications and assign individuals to those applications.
2. Create an EDB Account if you don't have and log into EDB Postgres AI Console (Switch to the correct organization if needed)
3. Verify a domain. This may need to engage the customer's IT team to add a TXT record. Steps can refer to doc(have details steps): Add a domain
Steps
0. Login to EDB Postgres AI Console via EDB Account, go to 'Settings' -> ' Identity Provider' by clicking Profile (right upper corner)
1. Go to Auth0 console, Applications -> Applications -> Create Application
2. Input your application name and select 'Native'
3. Switch to 'Addons' and enable SAML2 as below
4. Copy 'Assertion Consumer Service URL' from EDB Postgres AI console 'Connection Info' to Auth0 'Application Callback URL''.
5. Copy the Audience URI from the Set Up Identity Provide page and paste it as the audience value in the Settings field.
Below is an example of Settings.
{
"audience": "copy from EDB Postgres AI console Audience URI",
"mappings": {
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"nickname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"createUpnClaim": false,
"passthroughClaimsWithNoMapping": false,
"mapUnknownClaimsAsIs": false,
"mapIdentities": false,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
6. Enable and Save the config
7. Go to Usage and get the Identity Provider Login URL
8. Close the prompted window and then go to application's Settings, scroll down
9. At the bottom of this page, expand 'Advanced Settings' -> 'Certificate' -> 'Download Certificate' with PEM format.
10. Go to Organizations, and please choose 'Individuals for personal use' or 'Both'. Using Auth0 client app as SAML IdP with setting of 'Team members of organizations' is NOT supported by Auth0.
EDB Postgres AI Setup IDP - Setup Config
11. Go to EDB Postgres AI Console '3 SAML Settings' section,
a. paste the Login URL you get at step 7 into Single Sign-On URL.
b. Upload the certificate downloaded at step 9
c. Request Binding: HTTP POST
d. Response Signature Algorithm: rsa-sha256 is recommended
12. Click Test Connection. If it's successful, then you can click 'Sign in' to complete the Signup process
13. After the domain is verified(Add a domain), input your email address in the box shown in the screenshot below. (Don't click Sign in for Azure Marketplace users)
How to configure your own attributes mapping
The below example was tested. Auth0 doesn't always have givenname or surname, but givenname and surname are needed by BigAnimal. So we map Auth0's name and nickname onto BigAnimal's surname and givenname.
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"nickname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Reference: Auth0 doc
Customize your attribute mapping
You can also check your user structure from User Management -> Users, click the user and go to Raw JSON.
BigAnimal Supported attributes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Screen recording: https://drive.google.com/file/d/1oYonoB625JLn_cUp5eDPhprYMxzDlnyQ/view?usp=sharing