Custom Domain Migration
Beginning with Private Cloud release 1906, dedicated deployments will include the ability to fully utilize the Auth0 Custom Domains feature.
Existing Private Cloud customers using Custom Domains must complete a migration of their Private Cloud Custom Domains to the Auth0 Custom Domains features. New customers/deployments will automatically use the Auth0 Custom Domains features.
Auth0 added support for custom domains in the Private Cloud platform in January 2016. This implementation allowed Private Cloud administrators to create one or more custom domains per tenant and invoke the Authentication API endpoints using those domains.
In March 2018, Auth0 added support for custom domains for those deploying on the Public Cloud. However, the feature included additional capabilities not included on the Private Cloud implementation. The following table summarizes the differences.
|Feature||New Custom Domains||Legacy Custom Domains|
|Use of custom domain in emails||Yes||No|
|Custom domain protection via API keys||Yes||No|
|Custom domain registration||Yes||Yes|
|Token issuer used as custom domain||Yes||No|
|Use of multiple domains||No||Yes|
- A new DNS domain dedicated to the Custom Domain's origin server hostname. This could be a subdomain of your existing Auth0 Domain (i.e., if your domain name is
*.auth.mydomain.com, the new subdomain would be
- A wildcard public SSL certificate for the new DNS domain.
- A layer 4 network load balancer. This could be the existing one used by your Private Cloud deployment. Please note that if you are using a layer 7 load balancer, you must add a layer 4 load balancer.
- A DNS record pointing to the layer 4 load balancer.
Current Private Cloud customers using the existing Private Cloud Custom Domains functionality must migrate to the Auth0 Custom Domains feature to fully benefit from the features available.
The Custom Domains migration process involves three phases, each of which requires several steps.
Before beginning the migration process, Auth0 will reach out to you to explain the migration process and discuss the following:
The certificate management model you would like to use
Auth0 offers two certificate management models. To simplify the migration process, we suggest using one model for all of your tenants (though you can use a different certificate model for each tenant if necessary).
The type of load balancer you're using (i.e. network (layer 4) or application (layer 7))
If your dedicated deployment is AWS-hosted, we will need to confirm the type of load balanced you're using. If you are using an application load balancer, you will need to provision an additional network load balancer.
Allocating new DNS resources to meet stated requirements (if necessary)
You will need to have ready the edge domain name and accompanying SSL certificate, the CNAME host name, and the email address to be used as the Let's Encrypt contact.
Infrastructure preparation phase
During this stage, you will need to:
- Set up the network load balancer
- Set up your new DNS records
- Validate and verify that your set up is correct
The goal of the migration phase is to create custom domains that have all the new functionality and to update all dependencies to function correctly with your newly-created domain names.
The first step is to create new domains using the Auth0 Custom Domains feature.
Once done, you may have additional configuration steps, depending on the Auth0 features you use.
One you have completed all of the required modifications on your applications, a Managed Services Engineer will assist you in completing the migration process.