Configuring SSO with Auth0

Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator.

  1. Navigate to Settings > Global Security/SSO and enable SAML Single Sign-on:
  2. Copy the Assertion consumer service (ACS) URL in the SAML Single Sign-On Settings page that appears..  It will be needed as input into Auth0 later.

Auth0 Walkthrough

Screenshot dates: 6/2021

  1. Navigate to Applications and click Create Application.
  1. Name the application Netography and set the application type as Regular Web Applications.
  1. Under the Addons tab, enable SAML2 WEB APP.
  1. In the modal that appears, under the Settings tab, paste the Assertion consumer service URL into the Application Callback URL field.

    1. Additionally, paste the following code into the Settings textarea, replacing the placeholders with the appropriate values. Required mappings:

      • Email
      • Role
        {
          "logout": {
            "callback": <Assertion consumer service URL>
          },
          "mappings": {
            "email": "email",
            "nickname": "nickname",
            "phone_number": "phone_number",
            "picture": "picture",
            "role": "role"
          },
          "createUpnClaim": false,
          "passthroughClaimsWithNoMapping": false,
          "mapUnknownClaimsAsIs": false,
          "mapIdentities": false
        }
    
  1. Scroll to the bottom of the tab and click Enable.
  1. On the Usage tab, click Download (next to Identity Provider Metadata). You'll need to upload this file to Netography as part of the Post-Configuration steps
  1. When defining mappings in the SAML2 Web App, attributes from the user profile are expected. Since Auth0's user_metadata is not inherently part of the user profile, these have to be mapped manually.  Required mappings are given_name, family_name, email and role.

    1. Go to Dashboard > Auth Pipeline > Rules and click Create.

🚧

Rules will be deprecated by 2024 in Auth0. For more information, see migrating from Rules to Actions

  1. In the list choose Enrich Profile > SAML Attributes mapping.
  1. Name the mapping “SAML Attributes mapping” and paste the following code into the Script textarea.
  ```
     function mapSamlAttributes(user, context, callback) {
       context.samlConfiguration.mappings = {
         "given\_name": "user\_metadata.given\_name", // required
         "family\_name": "user\_metadata.family\_name", // required
         "email": "email", // required
         "role": "role", // required
         "nickname": "nickname", // optional
         "phone\_number": "phone\_number", // optional
         "picture": "picture" // optional
       };  
       callback(null, user, context);
     }
  ```

Netography Post-Configuration

  1. Return to the Netography portal, and upload the Identity provider metadata file you downloaded above in the Provider section of the SAML Single Sign-On Settings.
  1. Click Next
  2. Now configure the User attribute mappers to match the mapper values configured in Auth0 above:
  1. Click Next. 

  2. Next configure the Default user role and role mappers:

    1. Default user role: This is the role an IDM-authenticated user will default to if the role mappings are not found in the SAML exchange.   For security purposes, we recommend setting this value to "readonly", but you may want to set this to "admin" as you are testing your configuration.
    2. Admin role mappers:  Configure these according to the screenshot below:
  1. Click the Save button.

Done! Now your users can log in directly via your identity provider using a new account-specific login URL.  The new SSO Login URL can now be found under the Essentials settings in the SAML Single Sign-On Settings page.

🚧

The default login will still work for your account administrator, which is not bound to your IDM.