Configure AUTH0 for IdP

Lighthouse can be added as an Enterprise application to AUTH0. This example uses “App roles” to grant users permissions.

Create an Application (Enterprise applications)

  1. Go to Auth0.

  2. Go to Applications > Application.

  3. Click Create application.

    1. Select Regular Web Application.

    2. Name the application, for example, Lighthouse.

  4. Go to Settings tab.

    1. Select SAML.

    2. Set Application Login URI to

      3. https://{main lighthouse address}/api/v3.7/sessions/saml/sp_init/auth0

    3. In Allowed Callback URLs add each address for each lighthouse that you wish to allow users to sign-in via. (that is, IP, hostname, dns for both primary and dependent).

      https://{primary lighthouse address}/api/v3.7/sessions/saml/sso/auth0
      https://{primary lighthouse IP address}/api/v3.7/sessions/saml/sso/auth0
      https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/auth0
      https://{secondary lighthouse IP address}/api/v3.7/sessions/saml/sso/auth0

    4. Click Save.

  5. Go to the Addons tab:

    1. Click SAML2.

    2. Go to the SAML settings tab.

    3. Set the Settings json to

    {
    "audience": "lighthouse-auth0",
    "mappings": {
    "roles": "LH_Groups"
    },
    "passthroughClaimsWithNoMapping": true,
    "mapUnknownClaimsAsIs": true,
    "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    ]
    }

    1. Click either Enable or Save.

  6. Go to Auth Pipeline.

  7. Go to Rules.

  8. Click Create.

    1. Select empty rule template.

    2. Name it appropriately, for example, Map roles to SAML user property.

    3. Set the script to

function mapSamlAttributes(user, context, callback) {
user.roles = (context.authorization || {}).roles;
callback(null, user, context);
}

  1. Click Save.