Before you start

  • Subscribe to an Enterprise plan. For more information, read Manage Subscriptions.
  • Determine whether you’re using Public Cloud or Private Cloud. For Private Cloud-related prerequisites to these instructions, see Deploy Private Cloud.
You can configure Auth0 to allow Tenant Members to use your own Enterprise identity provider () to authenticate to the through (SSO).

How it works

Configuring SSO for the Dashboard requires you to work with Auth0 Support to add an Enterprise connection to the root tenant authority (RTA), which manages the available authentication methods a Tenant Member can use to log in to the Dashboard. Adding this SSO connection does not restrict Tenant Members from logging in using the existing authentication methods (such as email/password, LinkedIn, Microsoft, GitHub, or Google). Configuring SSO for the Dashboard also enables SSO for all public Auth0 sites, such as:

User experience

When an authorized user goes to log in to the Dashboard, they enter their email address for a registered domain (for example, user@example.com) into the Auth0 page, and then are redirected to your IdP to complete authentication.

Limitations

Before you decide to configure SSO for the Dashboard, please consider the restrictions:
  • SSO cannot be limited to specific tenants.
  • SSO does not support IdP-initiated authentication flows.
  • Tenant Member invitations cannot be automated or sent in bulk with the Auth0 .
  • Tenant Member access cannot be managed by your IdP’s group memberships.
  • cannot be enforced for all members of a tenant.

Considerations

Full directory access to Dashboard

When you add your IdP as an available connection for Tenant Members to log in on, all of the users in your IdP’s directory are able to access the Dashboard, but only the Tenant Members who have been invited to a given tenant are able to access that tenant. When users attempt to access a tenant in the Dashboard without an invitation, the system denies the operation. If users do not belong to any tenants, the system prompts them to complete their user profile and create a new trial tenant. Creating a new trial tenant does not associate it with your Enterprise plan.

Residual Tenant Member identities

If a Tenant Member was invited (and had access) to a tenant in the Dashboard using a different identity than the one created on the new connection, they will still—technically—be able to use that identity to access the tenant. You’ll have to decide if you want to remove their old identity, or keep it as a potential alternative authentication method.

Configure SSO for the Dashboard

Configuring SSO for the Dashboard requires a series of steps shared between you and Auth0 Support.

Share IdP configuration data

Open a ticket with Auth0 Support to share your IdP’s configuration data so they can set up the SSO configuration. Include the following information when you submit your ticket:
  • Email domain(s) you’d like to associate with the SSO configuration
  • Name of the IdP
  • Authentication protocol
  • Additional IdP-specific information
There are additional configuration steps required depending on the IdP and authentication protocol you’d like to use:

ADFS (SAML)

  1. Create a Relying Party Trust with the following properties:
    PropertyValues
    Entity IDurn:auth0:auth0:{assignedConnectionName}
    Callback endpointhttps://auth0.auth0.com/login/callback
  2. Add a claim description for each of the following claims:
    ClaimClaim identifierValue
    Name Identifierhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierE-Mail-Addresses or User-Principal-Name
    Email Addresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressN/A
    Namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameN/A
  3. Enable the SAML 2.0 endpoint.
  4. Provide Auth0 Support with the following information:
    • Login endpoint (for example, https://{yourServer}/adfs/ls)
    • Signing certificate, or the SAML metadata XML file

Azure AD (OIDC)

  1. Create a new App registration.
  2. Set the Redirect URI type to Web, and the value to https://auth0.auth0.com/login/callback.
  3. Select Register.
  4. Enable the Implicit Grant for the ID Token.
  5. Add the email claim to the ID Token.
  6. Provide Auth0 Support with the following information:
    • The application (client) ID
    • The OIDC metadata endpoint (for example, https://login. microsoftonline.com/{yourAzureAdTenantId}/v2.0/.well-known/openid-configuration)

Azure AD (SAML)

  1. Create a new Enterprise Application.
  2. Set up single sign-on for SAML with the following properties (you may need to use placeholder values until Auth0 Support can provide you with the SSO connection’s name):
    PropertyValue
    Identifier (Entity ID)urn:auth0:auth0:{assignedConnectionName}
    Reply (ACS) URLhttps://auth0.auth0.com/login/callback
    Sign-on URLhttps://manage.auth0.com/login?connection={assignedConnectionName}
  3. Leave the Attributes & Claims section - including email, Unique User Identifier, and optionally name - unchanged from Azure’s suggestions.
  4. Provide Auth0 Support with the SAML metadata XML data. You can either:
    • Share the App Federation Metadata URL (for example, https://login.microsoftonline.com/{azureAdTenantId}/federationmetadata /2007-06/federationmetadata.xml?appid={appId}).
    • Download the Federation Metadata XML document and attach it to the ticket.

Google (SAML)

Auth0 supports configuring SSO for the Dashboard with a Google IdP, but it’s recommended that you direct users to log in with the existing Google authentication method. When a user logs in to the Google SAML IdP, Auth0 creates a new user identity for them (separate from their existing Google user identity), which may be confusing. If you’d like to set up SSO for the Dashboard with a Google SAML IdP, read Generic IdP (SAML) for instructions.

Okta (SAML)

  1. Create a SAML application with the following properties (you may need to use placeholder values until Auth0 Support can provide you with the SSO connection’s name):
    PropertyValue
    Entity IDurn:auth0:auth0:{assignedConnectionName}
    Callback endpoint (ACS URL)https://auth0.auth0.com/login/callback
  2. Set the Name Identifier to send the email address of the user.
  3. Provide Auth0 Support with the SAML metadata XML data. You can either:
    • Share the SAML metadata XML URL:
      1. Locate the SAML Signing Certificates section.
      2. Select the Actions menu.
      3. Select View IdP metadata, and then select Copy Link Address. It will have this format: https://{org}.okta.com/app/{appId}/sso/saml/metadata.
    • Download the SAML metadata XML file and attach it to the ticket.
IdP-initiated authentication flows
SSO for the Dashboard does not support IdP-initiated authentication flows. If you want users to be able to select a chiclet to log in to the Dashboard you need to:
  1. Hide the SAML app from users.
  2. Create a Bookmark App that points to https://manage.auth0.com/login?connection={assignedConnectionName}. This is the application that users will be able to select to log in.
Make sure you enable both the SAML application and the Bookmark App for the same set of users that can use the application.

OneLogin (SAML)

  1. Create a SAML Test Connector (SP) with the following properties (you may need to use placeholder values until Auth0 Support can provide you with the SSO connection’s name):
    PropertyValue
    Entity IDurn:auth0:auth0:{assignedConnectionName}
    Callback endpoint (ACS URL)https://auth0.auth0.com/login/callback
    Login URLhttps://manage.auth0.com/login?connection={assignedConnectionName}
  2. Provide Auth0 Support with the SAML metadata XML file.

Generic IdP (OIDC)

  1. Register an application (client) with the IdP with the following properties:
    PropertyValue
    Callback URLhttps://auth0.auth0.com/login/callback
  2. Add the email claim to the ID Token.
  3. Provide Auth0 Support with the:
    • Application (client) ID
    • Issuer URL or OIDC metadata endpoint (for example, https://{idpDomain}/[...]/.well-known/openid-configuration)
Auth0 Support will use Implicit Mode with Form Post flow, if available. If your IdP does not support this, then you’ll need to provide them with your application’s client secret.

Generic IdP (SAML)

  1. Auth0 Support will provide you with the SSO connection’s name.
  2. Create a SAML application with the following properties:
    PropertyValue
    Entity IDurn:auth0:auth0:{assignedConnectionName}
    Callback endpointhttps://auth0.auth0.com/login/callback
  3. Ensure that the SAML assertions contain the following claims:
    ClaimClaim identifierValue
    Name Identifierhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierupn or emailaddress
    Email Addresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressN/A
    Namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameN/AA
  4. Provide Auth0 Support with either the:
    • Sign-in URL and signing certificate
    • SAML metadata XML file

Set up SSO connection

The Auth0 Support team uses the configuration data you provide to complete initial setup of the SSO connection. Home Realm Discovery (HRD) is not configured during initial setup.

Test SSO connection

When initial setup of the SSO connection is complete, the Auth0 Support team has you test the SSO connection to ensure the configuration data was correct, and that Tenant Members can authenticate on the SSO connection in the manner you’re looking for. The Auth0 Support team provides you with a direct login URL you can use to prompt authentication for the new SSO connection. For example: https://manage.auth0.com/login?connection={assignedConnectionName}

Enforce SSO with Auth0 Teams

If you use Auth0 Teams with your Enterprise tenant, you can enforce SSO authentication for the tenants that belong to the Teams account. To learn more about tenant administration and management, read Auth0 Teams.
  1. Open a new browser and enter your Teams account and identifier: https://accounts.auth0.com/teams/{team-identifier}.
    You can get the Teams identifier in the URL or the Teams Settings.
  2. Navigate to the Security page.
  3. Configure the Security Policies by selecting Enforce Single Sign On.

Enable Home Realm Discovery (optional)

If you’re using Universal Login or Classic Login, you can request to enable HRD, so the login page recognizes the domain of the email address the Tenant Member enters, and then directs them to the new SSO connection.

When to enable HRD

If HRD is enabled, Tenant Members that previously used an email/password identity (with an email matching the configured HRD domain) won’t be able to log in through the login page, and HRD is only compatible with email identifiers. Due to this change in behavior, request to enable HRD only after at least some of the current Tenant Members are aware of the change, and that they know that they’ll either:
  • Receive an invitation to join the tenants under the new identity
  • Need to re-invite themselves with the new identity

How to bypass HRD

If a Tenant Member needs to log in with their email/password identity, you can provide them with a direct login URL: https://manage.auth0.com/login?connection=auth0 This URL bypasses HRD, and allows them to log in with their email/password identity.

Example of HRD login behavior

Here’s an example of a list of Tenant Members:
TenantTenant MemberConnectionAffected?
fabrikam@ususer1@example.comemail/passwordYes
fabrikam@ususer1@gmail.comgoogle-oauth2No
fabrikam@ususer2@example.comgithubNo
fabrikam@ususer3@acme.comemail/passwordNo
fabrikam@ususer4@example.comemail/passwordYes
fabrikam-dev@ususer5@example.comemail/passwordYes
fabrikam-dev@ususer1@example.comemail/passwordYes
If we associate the example.com domain to the new connection, the Tenant Members user1@gmail.com, user2@example.com, and user3@acme.com are able to log in as they have previously, because they use either a social provider, or an email with a unassociated domain. Alternatively, the Tenant Members user1@example.com, user4@example.com, and user5@example.com are not able to log in as they have previously, because their emails are associated with the domain configured for HRD.

Migrate existing Tenant Members

The process to migrate existing Tenant Members depends on whether you have enabled HRD.

How to migrate with HRD disabled

To migrate Tenant Members with HRD disabled, you need to share the direct login URL for the new SSO connection: https://manage.auth0.com/login?connection={assignedConnectionName}
  1. Create a new Tenant Member invitation for the Tenant Member.
  2. Instruct the Tenant Member to:
    1. Log in on the new SSO connection by using the direct login URL before accepting the invitation.
      If this is the first time they are logging in on the new SSO connection, they may see a profile enrichment page (at https://auth.com/profile). Do not fill out any fields or select Next. Instead, follow the next step.
    2. Copy and paste the invitation URL they received in the invitation email into the same browser where they logged in on the new SSO connection. Users should not select Create Account.
    3. Accept the invitation.
    4. If the user has invitations for other tenants, they can use them at this time.

How to migrate with HRD enabled

To migrate Tenant members with HRD enabled, you need to follow steps similar to adding Tenant Members:
  1. Create a new Tenant Member invitation for the Tenant Member.
  2. Instruct the Tenant Member to:
    1. Log out of the Dashboard (if they had previously logged in with an old identity).
      If this is the first invitation they are accepting, they may see a “Create a new tenant” or “Create a new account” page. Do not select Next. Instead, follow the next step.
    2. Open the invitation link in the invitation email they received.
    3. Log in on the new connection.
    4. Accept the invitation.