Integrating AWS SSO with Auth0

Every SSO integration presents a new set of challenges as you connect technologies based on standards that can have different implementations for each vendor. Often you can apply design patterns previously used and follow best practice and vendor documentation to enable your use case and minimize or reduce user friction.

I wanted to integrate Auth0 (as the IdP) with AWS SSO (as the SP) and my primary goal was to use Topcoder handles as the nameIdentifier. Topcoder requires users to select a unique handle or id during the account registration process that is immutable where as the email that a handle is tied to can change. My goal was to use this immutable attribute as the foreign key or NameID into AWS SSO. Provisioning users in AWS requires a similar immutable value for the Username.

Reviewing the requirements for SSO on AWS using a separate IDP

AWS SSO requires a SAML nameID format of email address (that is, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

This and the following on the same page

The value of the nameID field in assertions must be an RFC 2822 (https://tools.ietf.org/html/rfc2822) addr-spec compliant (“name@domain.com”) string (https://tools.ietf.org/html/rfc2822#section-3.4.1)