Question on AWS SSO article

,

Hello,

I have a question about this article:

When creating a role on AWS, is there any way to restrict who from my Auth0 setup can log into a role by email? I tried adding SAML:mail attribute but that doesn’t seem to work. I am currently storing the mapping of roles in the user’s metadata profile.

{
  "awsRole": [
    "arn:aws:iam::xxxx:role/myrolename,arn:aws:iam::xxx:saml-provider/auth0SamlProvider"
  ]
}

where xxxx is real AWS account ids. Then I have a rule with this code:

function (user, context, callback) {

  user.awsRole = user.user_metadata.awsRole;
  user.awsRoleSession = user.email;

  context.samlConfiguration.mappings = {
    'https://aws.amazon.com/SAML/Attributes/Role': 'awsRole',
    'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'awsRoleSession'
  };

  callback(null, user, context);

So, a role should not show up for a user unless it is specified in their user metadata ‘awsRole’ attribute. Is that enough? Or would there also be a way to limit the Trust relationship from the default in AWS:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::xxxx:saml-provider/auth0SamlProvider"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Thanks!