Question on AWS SSO article



I have a question about this article:

When creating a role on AWS, is there any way to restrict who from my Auth0 setup can log into a role by email? I tried adding SAML:mail attribute but that doesn’t seem to work. I am currently storing the mapping of roles in the user’s metadata profile.

  "awsRole": [

where xxxx is real AWS account ids. Then I have a rule with this code:

function (user, context, callback) {

  user.awsRole = user.user_metadata.awsRole;
  user.awsRoleSession =;

  context.samlConfiguration.mappings = {
    '': 'awsRole',
    '': 'awsRoleSession'

  callback(null, user, context);

So, a role should not show up for a user unless it is specified in their user metadata ‘awsRole’ attribute. Is that enough? Or would there also be a way to limit the Trust relationship from the default in AWS:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::xxxx:saml-provider/auth0SamlProvider"
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": ""