SAML Identity Provider Configuration Settings

Common settings

These are the settings used to configure a SAML identity provider (IdP).

post-back URL

When using IdP-Initiated SSO, make sure to include the connection parameter in the post-back URL: 

https://{yourDomain}/login/callback?connection={yourConnectionName}

Was this helpful?

/

If you are using the Organizations feature, you can optionally include an organization parameter containing the organization ID of the desired organization:

https://{yourDomain}/login/callback?connection={yourConnectionName}&organization={yourCustomersOrganizationId}

Was this helpful?

/

Entity ID

The ID of the service provider is:

urn:auth0:{yourTenant}:{yourConnectionName}

Was this helpful?

/

You can create a custom Entity ID using the property connection.options.entityId. To learn more, read Specify a Custom Entity ID.

You can obtain the custom Entity ID value using the Get a Connection endpoint: 




  


  
  
curl --request GET \
  --url 'https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D' \
  --header 'authorization: Bearer {yourAccessToken}'
Was this helpful?
/
var client = new RestClient("https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer {yourAccessToken}");
IRestResponse response = client.Execute(request);
Was this helpful?
/
package main

import (
	"fmt"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer {yourAccessToken}")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
Was this helpful?
/
HttpResponse<String> response = Unirest.get("https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D")
  .header("authorization", "Bearer {yourAccessToken}")
  .asString();
Was this helpful?
/
var axios = require("axios").default;

var options = {
  method: 'GET',
  url: 'https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D',
  headers: {authorization: 'Bearer {yourAccessToken}'}
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});
Was this helpful?
/
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer {yourAccessToken}" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
Was this helpful?
/
$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => [
    "authorization: Bearer {yourAccessToken}"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
Was this helpful?
/
import http.client

conn = http.client.HTTPSConnection("")

headers = { 'authorization': "Bearer {yourAccessToken}" }

conn.request("GET", "/{yourDomain}/api/v2/connections/%7ByourConnectionID%7D", headers=headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
Was this helpful?
/
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer {yourAccessToken}'

response = http.request(request)
puts response.read_body
Was this helpful?
/
import Foundation

let headers = ["authorization": "Bearer {yourAccessToken}"]

let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()
Was this helpful?
/



Replace the ACCESS_TOKEN header value, with a Management APIv2 access token. 
SAML Request Binding
Also called the Protocol Binding, is sent to the IdP from Auth0. If possible, dynamically set the value based on connection.options.protocolBinding: 



connection.options.protocolBinding value
SAML Request Binding value






Empty value ("") or not present
HTTP-Redirect




urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
HTTP-Redirect




urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
HTTP-POST




If dynamically setting the value isn't possible, then set as either HTTP-Redirect (default) or HTTP-Post if you selected this option in Protocol Binding.
SAML Response Binding
How the SAML token is received by Auth0 from IdP, set as HTTP-Post.
NameID format
Unspecified.
SAML assertion and response
The SAML assertion, and the SAML response can be individually or simultaneously signed.
SingleLogout service URL
This is where the SAML identity provider will send logout requests and responses: 
https://{yourDomain}/logout
Was this helpful?
/


SAML logout requests must be signed by the identity provider.
Signed assertions
Use the following links to obtain the public key in different formats:
Download the certificate in the format requested by the IdP.
IdP-initiated Single Sign-on
To learn about IdP-initiated SSO, read Configure SAML IdP-Initiated Single Sign-On. 
Metadata
Some SAML identity providers can accept importing metadata directly with all the required information. You can access the metadata for your connection in Auth0 here:
https://{yourDomain}/samlp/metadata?connection={yourConnectionName}
Was this helpful?
/


Organizations
Use the ACS URL for your organization in the federated IdP to start the Organizations login flow.
https://{yourDomain}/samlp?connection={yourConnectionName}&organization=${yourOrgID}
Was this helpful?
/


Learn more