Create a SAMLP Identity Provider Connection

Auth0 allows you to create SAMLP Identity Provider connections using either the Management Dashboard or API.

Obtain IdP Signing Certificates

When you're setting up a SAMLP Connection, Auth0 acts as the service provider. As such, you will need to retrieve and provide to Auth0 an X509 signing certificate from the SAML IDP in PEM or CER format. The methods for retrieving this certificate vary, so please see your identity provider for additonal assistance if necessary.

Convert the Signing Certificate to Base64

Prior to uploading the X509 signing certificate to Auth0, you'll need to convert the file to Base64. You can use a simple online tool like this one, or you can run the following in Bash: cat signing-cert.crt | base64

Create a Connection Using the Management Dashboard

Log into the Management Dashboard, and navigate to Connections > Enterprise.

Scroll down to the row for SAMLP Identity Provider and click Add New (which is represented by the plus symbol). You'll see the Settings page for your new Connection.

Provide the following information for your new Connection:

  • Connection Name: The logical identifier for your Connection
  • Email Domains (optional): A comma-separated list of domains for use with Lock
  • Sign In URL: The SAML single login URL
  • X509 Signing Certificate: The signing certificate (encoded in PEM or CER) provided by the identity provider
  • Sign Out URL (optional): The SAML single logout URL
  • User ID Attribute (optional): The attribute in the SAML token that maps to the Auth0 user_id property
  • Debug Mode: Toggle this to enable/disable verbose logging during the authentication process
  • Sign Request: Toggle this to enable/disable signing of the authentication request (be sure to download and provide the accompanying certificate so the identity provider can validate the assertion's signature)
  • Sign Request Algorithm: The algorithm you want Auth0 to use to sign the SAML assertions
  • Sign Request Digest Algorithm: The algorithm you want to use for the sign request digest
  • Protocol Binding: The HTTP binding supported by the identity provider
  • Request Template (optional): The template that formats the SAML request

Click Save to persist your changes.

You will then see a pop-up window with the next steps you need to take.

If you do not have the appropriate administrative permissions to complete the integration, you will see a URL to provide to someone who does. If you do, click Continue to see the instructions on how to configure the identity provider you want to use with this integration. You will also be provided the custom parameters needed to integrate your Auth0 tenant with the identity provider.

Create a Connection Using the Management API

Instead of using the Management Dashboard, you can use the Management API to create your SAMLP Connection. You'll need to make the appropriate POST call to the post_connections endpoint.

{
  "strategy": "samlp",
  "name": "CONNECTION_NAME",
  "options": {
    "signInEndpoint": "SIGN_IN_ENDPOINT_URL",
    "signOutEndpoint": "SIGN_OUT_ENDPOINT_URL",
    "signatureAlgorithm": "rsa-sha256",
    "digestAlgorithm": "sha256",
    "fieldsMap": {
     ...
    },
    "signingCert": "BASE64_SIGNING_CERT"
  }
}

Here's how you might include the call within your application's code:


curl --request POST \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/connections' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --data '{ "strategy": "samlp", "name": "CONNECTION_NAME", "options": { "signInEndpoint": "SIGN_IN_ENDPOINT_URL", "signOutEndpoint": "SIGN_OUT_ENDPOINT_URL", "signatureAlgorithm": "rsa-sha256", "digestAlgorithm": "sha256", "fieldsMap": {}, "signingCert": "BASE64_SIGNING_CERT" } }'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/connections");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
request.AddParameter("undefined", "{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/connections"

	payload := strings.NewReader("{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://YOUR_AUTH0_DOMAIN/api/v2/connections")
  .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
  .body("{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/connections",
  "method": "POST",
  "headers": {
    "authorization": "Bearer MGMT_API_ACCESS_TOKEN"
  },
  "processData": false,
  "data": "{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'POST',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/connections',
  headers: { authorization: 'Bearer MGMT_API_ACCESS_TOKEN' },
  body: 
   { strategy: 'samlp',
     name: 'CONNECTION_NAME',
     options: 
      { signInEndpoint: 'SIGN_IN_ENDPOINT_URL',
        signOutEndpoint: 'SIGN_OUT_ENDPOINT_URL',
        signatureAlgorithm: 'rsa-sha256',
        digestAlgorithm: 'sha256',
        fieldsMap: {},
        signingCert: 'BASE64_SIGNING_CERT' } },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN" };
NSDictionary *parameters = @{ @"strategy": @"samlp",
                              @"name": @"CONNECTION_NAME",
                              @"options": @{ @"signInEndpoint": @"SIGN_IN_ENDPOINT_URL", @"signOutEndpoint": @"SIGN_OUT_ENDPOINT_URL", @"signatureAlgorithm": @"rsa-sha256", @"digestAlgorithm": @"sha256", @"fieldsMap": @{  }, @"signingCert": @"BASE64_SIGNING_CERT" } };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/connections"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/connections",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }",
  CURLOPT_HTTPHEADER => array(
    "authorization: Bearer MGMT_API_ACCESS_TOKEN"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }"

headers = { 'authorization': "Bearer MGMT_API_ACCESS_TOKEN" }

conn.request("POST", "/YOUR_AUTH0_DOMAIN/api/v2/connections", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/connections")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'
request.body = "{ \"strategy\": \"samlp\", \"name\": \"CONNECTION_NAME\", \"options\": { \"signInEndpoint\": \"SIGN_IN_ENDPOINT_URL\", \"signOutEndpoint\": \"SIGN_OUT_ENDPOINT_URL\", \"signatureAlgorithm\": \"rsa-sha256\", \"digestAlgorithm\": \"sha256\", \"fieldsMap\": {}, \"signingCert\": \"BASE64_SIGNING_CERT\" } }"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer MGMT_API_ACCESS_TOKEN"]
let parameters = [
  "strategy": "samlp",
  "name": "CONNECTION_NAME",
  "options": [
    "signInEndpoint": "SIGN_IN_ENDPOINT_URL",
    "signOutEndpoint": "SIGN_OUT_ENDPOINT_URL",
    "signatureAlgorithm": "rsa-sha256",
    "digestAlgorithm": "sha256",
    "fieldsMap": [],
    "signingCert": "BASE64_SIGNING_CERT"
  ]
]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/connections")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "POST"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Enable the Connection for Your Auth0 Application

To use your newly-created Connection, you'll need to enable it for your Auth0 Application(s).

  1. Go to the Applications page of the Management Dashboard.
  2. Select the Application for which you want to enable the Connection.
  3. Click the Connections icon for your Application.
  4. Scroll down to the Enterprise section of the Connections page, and your Connection. Click the slider to enable the Connection. If successful, the slide turns green.