SSO Using Auth0
This page explains how to configure Auth0 as an authentication method for Styra DAS.
Configure Auth0 SSO SAML
The following instructions help you to prepare Auth0 as a method for signing in to styra-das-id.styra.com
.
Login to Auth0.
On the left navigation pane, click Applications.
A default app exists and can be used as a SAML application or you can create a new application.
To create a new application, click the CREATE APPLICATION button.
Enter Styra (or anything you prefer) as the Name and select an application type and click Create.
This new application is created and is selected. If you want to use existing application, click on the application name link.
Click the Addons tab to enable the SAML2 WEB APP. A dialog message
Addon: SAML2 Web App
is displayed.Click the Settings tab to enter the following details in the form.
- Application Callback URL: For example, in
https://styra-das-id.styra.com/v1/saml/ssosaml/callback
replacestyra-das-id.styra.com
with your tenant name andssosaml
with the provider name. This provider name will be used when you configure the settings onstyra-das-id.styra.com
.
- Application Callback URL: For example, in
Scroll to the bottom of this page and click on the ENABLE button.
After you save, click on the Usage tab.
Download the Identity Provider Metadata. This data will be used when you configure the settings on
styra-das-id.styra.com
.
Styra DAS Configuration
After you configure Auth0, you must configure styra-das-id.styra.com
.
Login to
styra-das-id.styra.com
with your username and password.Go to your Workspace, click Access Control >> Single Sign-On Providers and then click SAML >> + Add SAML Provider.
Enter the following details in the form.
Provider name: Enter the name for your identity provider setting.
Private key: Use
openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.cert -days 3650 -nodes -subj "/CN=styra-das-id.styra.com"
command to generate a private key and the associated certificate. Enter the private key.Private key certificate: Enter the above generated certificate.
Identity provider metadata: Enter the IDP metadata.
Email attribute: The SAML response from Auth0 has an email address in the Attribute tag. Enter
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
.Allowed Domains: Type the allowed authentication domain(s) of your users. For example,
retail.acme.com
. If the identity provider supports multiple domains, only users with these domains are allowed to access the service.Allow identity provider to initiate sign in:
If enabled, identity provider can initiate the single sign on.
If disabled, identity provider can’t initiate the single sign on.
Invited users only:
If enabled, the authenticated user must have a pre-existing account in the service.
If disabled, a new user account will be created just-in-time for any authenticated user, as long as the user's domain matches one of the allowed domains (and the identity provider has assigned the new user to the Styra application).
Enabled: Set it to
TRUE
.
If you have selected just-in-time provisioning for the users, then you can now logout from
styra-das-id.styra.com
and sign-in again through Auth0. Auth0 is now displayed on thestyra-das-id.styra.com
login screen above the username and password.
Invite Users to Styra (Optional)
If you configured styra-das-id.styra.com
to allow only invited users to login to the service, then you must create users on styra-das-id.styra.com
. You can add or invite users through the following options:
- Using the CLI.
- Using the GUI.
- Any client calling the Styra CLI API.