> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure Amazon Web Services (AWS) for delegated authentication.

# Configure Amazon Web Services for Delegated Authentication

You can configure Amazon Web Services (AWS) for delegated authentication with Auth0. To learn more, [Configure Amazon Web Services for Single Sign-on](/docs/customize/integrations/aws/configure-amazon-web-services-for-sso) and [Secure AWS API Gateway Endpoints Using Custom Authorizers](/docs/customize/integrations/aws/aws-api-gateway-custom-authorizers).

## Create a SAML provider in AWS

1. Log in to AWS, and go to the [IAM console](https://console.aws.amazon.com/iam). Using the left-hand navigation menu, select **Identity Providers**. Click **Create Provider**. Set the following parameters:

   <table class="table">
     <thead>
       <tr>
         <th>Parameter</th>
         <th>Description and Sample Value</th>
       </tr>
     </thead>

     <tbody>
       <tr>
         <td>Provider Type</td>
         <td>The type of provider. Set as <Tooltip tip="Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=%60SAML%60">`SAML`</Tooltip></td>
       </tr>

       <tr>
         <td>Provider Name</td>
         <td>A descriptive name for the provider, such as <code>auth0SamlProvider</code></td>
       </tr>

       <tr>
         <td>Metadata Document</td>
         <td>Upload the file containing the Auth0 metadata, found in <strong>Dashboard > Applications > Application Settings > Advanced Settings > Endpoints > SAML Metadata URL</strong></td>
       </tr>
     </tbody>
   </table>
2. Click **Next Step**.
3. Verify your settings and click **Create** if everything is correct.

## Create a role for your SAML provider

To use the provider, you must create an IAM role using the provider in the role's trust policy.

1. In the IAM console, go to [Roles](https://console.aws.amazon.com/iam/home#/roles). Click **Create role**. You'll be redirected to the **Trust** page. Indicate **Saml 2.0 federation** under **Select type of trusted entity**. Provide the following values:

   <table class="table">
     <thead>
       <tr>
         <th>Parameter</th>
         <th>Value</th>
       </tr>
     </thead>

     <tbody>
       <tr>
         <td>SAML Provider</td>
         <td>The name for your new role</td>
       </tr>

       <tr>
         <td>Attribute</td>
         <td><code>SAML:iss</code></td>
       </tr>

       <tr>
         <td>Value</td>
         <td><code>urn:{yourDomain}</code></td>
       </tr>
     </tbody>
   </table>
2. Click **Next: Permissions** to proceed.
3. You will need to attach permissions policies to your new role. You'll attach a custom policy. To create one, click **Create Policy**.
4. In the **Create policy** editor that launches, switch over to the **JSON** tab. Provide a custom policy.

   ```json lines
   {
     "Version": "2012-10-17",
     "Statement": [{
         "Effect": "Allow",
         "Action": [
           "*"
         ],
         "Resource": [
         "arn:aws:s3:::{yourBucket}/<%= '${saml:sub}' %>",
         "arn:aws:s3:::{yourBucket}/<%= '${saml:sub}' %>/*"]
     }]
   }
   ```

   This defines the permissions that users granted this role will have with AWS. Click **Review policy**.
5. Review the policy that you've created. Be sure to provide a **Name** for your policy and (optionally) a **Description**.
6. Click **Create policy** when done. If successful, you'll see the following message confirming the creation of your new policy: "auth0SamlRolePolicy has been created".
7. Returning to the role creation wizard (you should be on step **2 - Permissions**), find the new policy you just create and click its checkbox to attach the policy to your role. We recommend using the **Customer managed** filter to find your policy.
8. Click **Next: Review** to proceed.
9. Review the information about your role, provide a **Role name**, and optionally a **Role description**. You'll see the policy you attached as well. If everything looks correct, click **Create role** to proceed.
10. Once created, you can find your roles located on the primary **Roles** page.

## Copy the ARN Values

The following instructions will show you where you can find the Provider and Role ARN values.

### Provider ARN

In the IAM console, go to [Identity providers](https://console.aws.amazon.com/iam/home#/providers). Select the role in which you're interested to open up its summary page. Copy the **Provider ARN** value, which is listed first under **Summary**.

### Role ARN

In the IAM console, go to [Roles](https://console.aws.amazon.com/iam/home#/roles). Select the role in which you're interested to open up its summary page. Copy the **Role ARN** value, which is listed first under **Summary**.
