This guide shows how to configure Auth0 as a SAML single sign-on identity provider (IdP) for your Redis Cloud account.

To learn more about Redis Cloud support for SAML, see SAML single sign-on.

Step 1: Set up your identity provider (IdP)

Specify the SAML owner

  1. Sign in to your Auth0 account and navigate to User Management > Users.

    • Select the SAML owner.
    • Verify the details.

    SAML assertion requires first and last name, which are not available in the default user profile.

    Note: Depending how they are created, users can have different profiles.

  2. Add user_metadata to fulfill the SAML assertion, then select Save.

    The key-value pair of redisAccountMapping consists of a lowercase role name (owner, member, manager, billing_admin, or viewer) and your Redis Cloud Account ID found in the account settings.

    {
       "FirstName": "Test",
       "LastName": "User",
       "redisAccountMapping": "YOUR_REDIS_CLOUD_ID=owner"
    }
    
  3. Open Auth Pipeline > Rules and select Create.

  4. Pick a rule template then select Empty rule.

  5. Provide a name for the rule and add the following script.

    function mapSamlAttributes(user, context, callback) {
      user.user_metadata = user.user_metadata || {};
      context.samlConfiguration.mappings = {
         "Email": "email",
         "LastName":  "user_metadata.LastName",
         "FirstName": "user_metadata.FirstName",
         "redisAccountMapping": "user_metadata.redisAccountMapping"
      };
      callback(null, user, context);
    }
    
  6. Select Save Changes.

Create and configure the SAML application

  1. Open Applications > Applications and select Create Application.

  2. Provide a name for the Application and select Single Page Web Applications. Select Create.

  3. From the newly created application, go to Settings > Advanced Settings > Certificates.

    • Copy and save the Signing Certificate. You will need this information to configure SAML in admin console.
    • We suggest that you update the default logo of the application to the Redis icon for better visibility.
  4. From the newly created application, go to Addons and enable SAML 2 WEB APP.

  5. From the Usage tab:

    • Copy and save the Issuer value.
    • Copy and save the Identity Provider Login URL.

    You will need both of these values, along with the certificate value you copied in the previous step, to configure SAML in admin console.

Step 2: Configure SAML support in Redis Cloud

Now that you have you Auth0 IdP server ready, configure support for SAML in Redis Cloud.

Log in to your Redis Cloud account

Log in to your account at https://app.redislabs.com/#/login

Activate SAML in Access Management

To activate SAML, you need to have a local user (or social sign-on user) with the owner role. If you have the correct permissions, you will see the Single Sign-On tab.

  1. Fill in the information you saved previously in the setup form. This includes:

    • Issuer (IdP Entity ID): Issuer value from Auth0
    • IdP server URL: Identity Provider Login URL from Auth0
    • Assertion signing certificate: Certificate value from Auth0

    You will also have to add:

    • Email domain binding - The domain used in your company’s email addresses

    Once you click Enable, wait a few seconds for the status to change.

  2. Download the service provider (SP) metadata. Save the file to your local hard disk.

  3. Open the file in any text editor. Save the following text from the metadata:

    • EntityID: The unique name of the service provider (SP)
    • Location : The location of the assertion consumer service

Step 3: Finish SAML configuration in Auth0

  1. Return to the Auth0 SAML application and select Addons > Settings:

    • Paste the Location link in Application Callback URL field.

    • To update the Settings code area, add this code. Modify the audience variable with the EntityID value from the metadata file you downloaded. Also, modify the recipient variable with the Location value from the metadata file you downloaded.

    {
      "audience": "ENTITYID VALUE FROM FILE",
      "recipient": "LOCATION VALUE FROM FILE",
      "passthroughClaimsWithNoMapping": false,
      "nameIdentifierProbes": [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      ]
    }
    

    Scroll down and select Save to apply the configuration.

IdP initiated SSO

To use IdP-initiated SSO with certain identity providers, you also need to set the RelayState parameter to this URL:

https://app.redislabs.com/#/login/?idpId=<ID>

Note:
Replace ID so it matches the AssertionConsumerService Location URL ID (the content after the last forward slash “/"). To learn more about how to configure service provider apps, see your identity provider’s documentation.

Step 4: Return to the Redis Cloud console

  1. Return to the Redis Cloud console and select Activate.

    A popup appears, explaining that, in order to test the SAML connection, that we need to login with credentials of a user defined in Auth0.

  2. The Auth0 login screen appears. Enter the credentials and select Sign In.

  3. If the test has succeeded, you will see the the Redis Cloud console screen. Your local account is now considered a SAML account. To log in to the Redis Cloud console from now on, click on Sign in with SSO.

  4. Enter your SAML email and select Login.

You have successfully configured SAML as an identification provider.