Configure AUTH0 for IdP

Lighthouse can be added as an Enterprise application to AUTH0. This example uses “App roles” to grant users permissions.

Create an Application (Enterprise applications)

1. Go to Auth0.

2. Go to Applications > Application.

3. Click Create application.

   1. Select Regular Web Application.

   2. Name the application, for example, Lighthouse.

4. Go to Settings tab.

1. Select SAML.

2. Set Application Login URI to:

https://{main lighthouse address}/api/v3.7/sessions/saml/sp_init/auth0

3. In Allowed Callback URLs add each address for each Lighthouse that you want to allow users to sign-in via (that is, IP, hostname, dns for both primary and secondary).

   https://{primary lighthouse address}/api/v3.7/sessions/saml/sso/auth0
https://{primary lighthouse IP address}/api/v3.7/sessions/saml/sso/auth0
https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/auth0
https://{secondary lighthouse IP address}/api/v3.7/sessions/saml/sso/auth0

4. Click Save.

5. Go to the Addons tab:

   1. Click SAML2.

   2. Go to the SAML settings tab.

   3. Set the Settings json to:

   {
"audience": "lighthouse-auth0",
"mappings": {
"roles": "LH_Groups"
},
"passthroughClaimsWithNoMapping": true,
"mapUnknownClaimsAsIs": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}

   4. Click either Enable or Save.

6. Go to Actions > Triggers > post-login.

7. Click Add Action.

8. Select Build from Scratch.

9. Name the build, for example Lighthouse Roles to Groups SAML mapping.

   Note: Leave the Trigger and Runtime unchanged.
   

10. Click Create.

11. Update the Handler to:

    exports.onExecutePostLogin = async (event, api) => {
if (event.authorization && event.authorization.roles) {
api.user.setAppMetadata("roles", event.authorization.roles);
}
};

12. Click Save and Deploy.