Single Sign-On for Regular Web Apps


The following document details the requirements of DNS records used for PSaaS Appliance instances.

DNS records must be finalized for all of the tenants prior to PSaaS Appliance deployment. They cannot be changed afterwards.

You’ll need one certificate per environment (such as if you have a Dev/Test environment and a Prod environment, you’ll need two certs).

If you’d like to use a Webtask Dedicated Domain, you’ll need an additional DNS zone and certificate for each environment. If you have a Dev/Test environment and a Prod environment, you’ll need a two total of two certificates per environment.

Dedicated and non-dedicated host names must be unique.

The Premise

Sample DNS Naming Scheme

Management Dashboard
App Tenant(s) (for example); (if you want more than 1 App tenant)
...and so on

For a dev/test non-production PSaaS Appliance a common practice is to include "dev” in the domain name:

Management Dashboard (Dev)
Configuration (Dev)
Webtask (Dev)
App Tenant(s) (Dev) (for example); (if you want more than 1 App tenant)
...and so on

Goals & Requirements

Definitions of Terms Used in the DNS Naming Scheme

  • Configuration: highly-privileged tenant used to do the PSaaS Appliance baseline configuration and for managing the security of other tenants;
  • App: the name of your application;
  • your organization's domain name.


The Auth0 PSaaS Appliance is capable of supporting multi-tenancy (that is, each tenant may have one or more associated apps). Auth0 may recommend this deployment model when multiple groups within your company share the PSaaS Appliance for different projects. If a customer decides to create multiple app tenants, each app tenant must have its own DNS entry.

DNS Configuration Requirements

In a standard multi-node cluster deployment, the DNS records will point to the IP address of the load balancer in front of the cluster.

IP Addresses and DNS Records

For a single-node PSaaS Appliance instance, the DNS record(s) will point to the IP address of the virtual machine itself (this is often the case for the development/test node).

Auth0 does not recommend using the same wildcard certificate(s) for Production and non-Production (Test/Development) environments or mapping the DNS for both environments to the same servers.


The hostname (such as must be at least three characters long and must not contain any underscores(_).

The following are reserved tenant names and may not be used for the app tenant.

login admin app manage blog
ftp mail pop pop3 imap
smtp stage stats status dev
logs www docs sdk ci
docker styleguide ask it cdn
api releases release spf feedback
help support int auth

Please note that the Levenshtein distance from auth0 to the supplied name must be greater than two. This means that tenant names like auth or authy (and other similar names) cannot be used.

To see if your tenant name meets this requirement, you can validate your selections using a Levenshtein Distance calculator.

The Management Dashboard, Configuration Tenant, and App Tenant(s) must all be a part of the same parent domain (such as

Three- or four-part domain names are supported (such as

Custom Domains

In the PSaaS Appliance, you may map any arbitrary domain name to a tenant using the Custom Domains feature. You may also map multiple custom domains to a single tenant.

Suppose these were your standard domains:

Root Tenant Authority Sample Tenant Custom Domain for the Sample Tenant

Please note that all tenant names are derived from the base Configuration Tenant. However, you may set your custom domain to point toward any of your tenants (in the example above, maps to, and the latter may be used by your applications).