Skip to main content

Introduction

This guide will detail the various steps required to integrate AWS SSO as a SAML provider for your env zero organization. The current implementation supports SAML 2.0 and is used for authentication only, where you define your users in your AWS SSO account to enable them access to your env zero organization.

Steps

  1. Login to your AWS Account and navigate to the AWS SSO service.
  2. Click on the Applications tabs on the left-hand side menu.
  3. Click on the Add a new application button.
  4. Select I have an application I want to set up.
  5. Select the SAML 2.0
AWS SSO application setup interface showing SAML 2.0 selection option
  1. Enter the Display name and Description
  2. Configure the User and group assignment method section
  3. In the AWS access portal set the Application URL to be https://app.env0.com/login/sso
  4. Click on the Next button
  5. In the IAM Identity Center metadata section download the IAM Identity Center Certificate and copy the IAM Identity Center sign-in URL
  6. In the Application properties set the Application start URL to https://app.env0.com/login/sso
  7. Set the desired Session duration
  8. In the Application metadata section click on the If you don't have a metadata file, you can manually type your metadata values link
  9. In the Application metadata section, under Application ACS URL enter the following https://login.app.env0.com/login/callback?connection={YOUR_ENV0_ORG_ID}
  10. In the Application SAML audience enter urn:auth0:env0:{YOUR_ENV0_ORG_ID}
  11. Click on the Submit button
  12. In the Action Dropdown select Edit Attribute mappings
  13. Add the following attributes:
NameValueFormatMandatory
Subject${user:subject}persistentYes
name${user:name}basicYes
lastName${user:familyName}basicYes
firstName${user:givenName}basicYes
groups${user:groups}unspecifiedNo
email${user:subject}unspecifiedYes
AWS SSO attribute mappings configuration showing user attribute settings for SAML integration
Groups Mapping with AWS SSOThe groups attribute in AWS SSO currently supports the UUID of the groups and not the actual name of the group.This means that if you set the groups attribute we will sync the groups based on their UUID.
  1. Click on Assigned users button and assign the relevant users and groups to the application
  2. Please submit the AWS SSO sign-in URL and the AWS SSO Certificate to env zero setup SAML single sign-on