Tenant Check (B2C)

This section covers a list of configurations to check in your tenant. This should be done periodically during development and sufficiently before launch so you have time to fix anything amiss.

General tenant check

Tenant preparation check

Check to ensure you have set up tenant environments to support your SDLC lifecycle and that Dev, Test and Prod tenants are cleanly separated so that ongoing development work after launch doesn’t negatively impact your production environment.

Every company has some form of Software Development Life Cycle (SDLC), and throughout the development process you will want to align with that strategy. For instance, you need to be able to test your integration with Auth0 in a similar fashion as you test the applications themselves. It is therefore important to structure Auth0 tenants to support your SDLC, and there is a consistent pattern which our customers typically follow when it comes to the best practices associated with tenant layout for doing so:

Environment Sample Tenant Name Description
Development company-dev A shared environment where most of your development work occurs
QA/Testing company-qa or company-uat An environment for formal testing of the changes you've made
Production company-prod The production tenant

In some cases you may also want to create one or more sandboxes (e.g., company-sandbox1company-sandbox2) so that you can test changes without compromising your development environment. This might be where you test deployment scripts and the like.

Best Practice

You can also take advantage of our Implementation Checklists that you can download and customize to meet your implementation project needs.

Though Auth0 allows you to create as many free tenants as you'd like, you may be limited for the number of tenants where all paid features are enabled. If eligible, you can be provided with up to three tenants where all features are shared.

Tenant association check

To ensure that your tenants are all associated with your Auth0 contractual agreement and have the same features, ensure all your tenants are associated with your company account. If you have individual developers that want to create their own sandboxes for testing, make sure they get associated with your account so they have the same permissions too. To do this you should contact your Auth0 representative or the Auth0 Support Center.

Specify production tenant

To ensure Auth0 recognizes your production tenant, be sure to set your production tenant with the “production” flag in the Support Center.

Tenant production check

Auth0 provides a Production Check facility to detect many common errors. You should ensure this has been run and any findings from the report mitigated before launch.

In addition, you should check the best practice configurations advice, for which checking cannot be automated.

Tenant settings check

Tenant settings

Make sure to follow the Auth0 tenant settings recommendations in configuring your branding as well as your support email and support URL so users know how to get help if an issue occurs. You'll want to check your SSO Session Timeout settings and the list of dashboard admins with access to your production tenant as well.

Error page customization

If there are issues encountered during user interactive workflow (e.g. user sign up or login), Auth0 provides error messages that indicate what the problem is under the hood. The default messages are somewhat cryptic, especially to the end user, since they will likely be missing context that only you can supply. As such, we recommend customizing your error pages to provide the missing context-specific information directly to your users. Furthermore, customizing your error pages allows you to display your branding, not Auth0's, as well as provide useful information to your users as to what should be done next. This information might include a link to a FAQ or how to get in touch with your company's support team or help desk.

Best Practice

Out-of-the-box there is no user interface for customizing Auth0 provided error pages, but you can use the Tenant Settings endpoint of the Management API to configure them. Alternatively, if you can create and host your own error page, then you can have Auth0 direct users to that page instead of using the Auth0-hosted option.

Legacy feature flags off

If you have an older tenant, you may have various legacy feature flags enabled in your tenant settings advanced tab. If you have any toggles on in the “Migrations” section of this tab, you should review your usage and make plans to migrate off the legacy feature.

Delegated admin extension

While you are checking the list of users with access to your production tenant, don't forget to check any users specified in the Delegated Admin Extension.

Custom Domain Naming set up

By default, the URL associated with your tenant will include its name and possibly a region-specific identifier. For example, tenants based in the US have the a URL similar to https://example.auth0.com while those based in Europe have something that is of the fashion https://example.eu.auth0.com. A Custom Domain offers a way of providing your users with a consistent experience by using a name that’s consistent with your organization's brand.

Only one custom Domain Name can be applied per Auth0 Tenant, so if you absolutely must have independent domain name branding then you will require an architecture where multiple Auth0 Tenants are deployed to production.

In addition, Custom Domain functionality offers you complete control over the certificate management process. By default, Auth0 provides standard SSL certificates, but if you configure a custom domain, you can use Extended Validation (EV) SSL certificates or similar to provide the visual, browser-based cues that offer your visitors additional peace of mind.

In general, we see customers having the most success when they use a centralized domain for authentication - this is especially the case if the company offers multiple products or service brands. By using a centralized domain, you can provide end users with a consistent user experience while also minimizing the need to maintain multiple production tenants in Auth0.

Application and Connection settings check

Each of your connection settings should be reviewed against the connection configuration best practices.

In addition, you should review that all connections are appropriate and that no experimental connections are left in your production tenant as they could enable unauthorized access.

If you use SAML connections, it is a best practice to configure the connections to sign SAML requests.

Page customization check

If you use the Auth0 universal login page, password reset page, or Guardian multi-factor authentication, you should check that you have adequately customized the pages displayed to the end user.

Universal Login Page

Universal Login is the recommended method for authenticating users, and it centers around use of the Login page. You can customize the Login page to support your organization's branding requirements.

Best Practice

If you choose to customize the Universal Login page script, we strongly recommend that you make use of version control. To do this, you should deploy the script to your Auth0 tenant via deployment automation or via one of the alternative strategies.

Password reset page

The Password Reset page is used whenever a user takes advantage of password change functionality and, as with the login page, you can customize it to reflect your organization's particular branding requirements.

Guardian

The Multi-factor Authentication pages can be customized by adjusting the Universal Login branding options in the Universal Login Settings section.

If you need further customization, you can also customize the full HTML content to reflect your organization's particular UX requirements.

Authorization check

If you are using Auth0’s authorization feature, be sure to double check all privileges granted to ensure authorizations are appropriate for your production environment.

API configuration check

Access token expiration

You should double check the API access token expiration settings to ensure they are appropriate for each API in your production environment.

API offline access

If your application does not request refresh tokens, this should be off.

Access token signing algorithm

It is recommended that the API access token signing algorithm be set to RS256 rather than HS256 to minimize exposure of the signing key.

API Access token validation

If you have any custom APIs, be sure to check that they are adequately validating the access tokens they receive before using the information in them.

API Scopes

If you have applications making machine-to-machine calls to any of your APIs, you should review the scopes specified for the API to ensure they are all appropriate for your production environment. For further information see the documentation on client credentials grant.

Rules/Hooks check

You should also have aligned your rules with Auth0 rules best practices.

Email templates customized

Auth0 makes extensive use of email to provide both user notifications and to drive the functionality needed for secure identity management (for example, email verification, account recovery, and brute force protections), and Auth0 provides a number of templates for these.

Before customizing email templates, please set up your Email Provider.

Out of the box, the email templates used contain standard verbiage and Auth0 branding. However, you can configure almost every aspect of these templates to reflect the verbiage and user experience you want and make changes to things like the preferred language, accessibility options, and so forth.

Email templates are customized using Liquid syntax. If you are interested in customizing your templates based on user preferences, you will also have access to the metadata located in users' profiles, as well as any specific application metadata too.

Attack protection configured

The reason that authentication systems are important is to prevent bad actors from accessing applications and user data that they should not. We want to place as many barriers as possible between those bad actors and access to our systems. One of the easiest ways to do this is to ensure that your attack protection with Auth0 is configured correctly, so take a moment to read the guidance on this subject and ensure that it's working correctly for you.

Best Practice

Anomaly detection is handled behind the scenes by Auth0 and provides a great security feature for your product. If you're going to utilize it, ensure that you have set up your Email Provider and configured your Email Templates before turning on email delivery to your users.

Project Planning Guide

We provide planning guidance in PDF format that you can download and refer to for details about our recommended strategies.

B2C IAM Project Planning Guide