Configure Auth0 as SAML Identity Provider
Auth0 only supports using Auth0 as the identity provider in SAML configurations with SAML 2.0.
SSO integrations with built-in Auth0 support
Go to Dashboard > SSO Integrations.
Click Create SSO Integration.
On the New Single Sign-On Integration page, choose SSO identity provider integration.
Provide a name for your new integration.
Click Create to proceed. You will now see additional configuration instructions that are specific to the integration that you have chosen.
Manually configure SSO integration
Go to Dashboard > Applications and find the application you're working with and click on Settings.
On the Addons tab, enable SAML2 Web App. You will see a screen asking you to provide additional configuration information, with details on what the fields mean and what the expected value types are located directly on that page.In addition, SAML settings needed for some SSO Integrations provide additional information for integrations that require special settings.
When done, click Save.
The following instructions explain how to configure Auth0 to serve as an identity provider in a SAML federation.
Obtain Information from service provider
Obtain the URL to which the SAML Authentication Assertion should be sent from the service provider. This may be called Assertion Consumer Service URL, the Post-back URL, or Callback URL.
Configure Auth0 as IdP
Register an application in Auth0 using an addon.
Go to Dashboard > Applications.
Click the + CREATE APPLICATION button on the right.
In the Name field, enter a name like
MySAMLApp
, and select the application type.Click SAVE.
Go back to Dashboard > Applications.
Find the row for the application you just created, and click on the Settings icon to the right of the application name. (the round gear icon)
Scroll down and click on Advanced Settings.
In the expanded window, go to the Certificates tab and click DOWNLOAD CERTIFICATES.
In the popup that appears, select
PEM
to choose a PEM-formatted certificate. The certificate will be downloaded to a file calledYOUR_TENANT.pem
. Save this file as you will need to upload it when you configure the service provider.Select the Endpoints tab and scroll to SAML. Copy the contents of the SAML Protocol URL field and save it as you will need to provide it to the service provider.
Scroll up and click the Addons tab. Toggle the SAML2 WEB APP on.
In the Application Callback URL field, enter the URL of the service provider (or application) to which the SAML assertions should be sent after Auth0 has authenticated the user. This is the Assertion Consumer Service (ACS) URL. If your service provider is sending multiple ACS URLs in the SAML request, you will need to add them to the allow list by adding them to the Application's Allowed Callback URLs setting in Application Settings.
In the Addon SAML2 Web App popup, click the Usage tab. This tab will provide you with the information needed to configure the service provider application.
Configure service provider
Add information to the service provider so they know how to send SAML-based authentication requests to Auth0. The instructions provided here are generic. You will need to find the appropriate screens and fields on the service provider.
If the service provider supports uploading a metadata file, you can provide the metadata URL obtained in the step above (Applications > Addons > Usage).
If the service provider does not support uploading a metadata file, you can configure it manually, using the information from the Auth0 Applications > Addons > Usage screen: Identity Provider Login URL which is the URL to which the service provider should send its SAML Authentication Requests.
If you have a custom domain, use the custom domain based URL rather than your Auth0 domain. Instead of using a URL in this format:
https://[YOUR TENANT].auth0.com/samlp/CLIENTID?connection=Username-Password-Authentication
You will want to use one in this format:https://[YOUR CUSTOM DOMAIN]/samlp/CLIENTID?connection=Username-Password-Authentication
.If the service provider also has a field for a Logout URL, you can enter the same Identity Provider Login URL. Both login and logout are handled by the same URL.
The service provider will need a certificate from Auth0. You can download this certificate from the Applications > Addons > Usage screen. This certificate will be used to validate the signature of the SAML Authentication Assertions sent from Auth0 to the service provider. If the service provider asks for an Issuer, this can also be obtained from the same screen.
Test
Once you have completed the above configuration, test the login.
If the service provider has been configured correctly, it should redirect the user browser to Auth0 for login. After authenticating the user, Auth0 should redirect the user browser back to the application.
If your application doesn't work the first time, clear your browser history and ideally cookies each time before you test again. Otherwise, the browser may not be picking up the latest version of your html page or it may have stale cookies that impact execution.
When troubleshooting Single Sign-on (SSO), it is often helpful to capture an HTTP trace of the interaction. There are many tools that will capture the HTTP traffic from your browser for analysis. Search for HTTP Trace
to find some. Once you have an http trace tool, capture the login sequence from start to finish and analyze the trace to see the sequence of GETs to see how far in the expected sequence you get. You should see a redirect from the service provider to the Identity Provider, a post of credentials if you had to log in, and then a redirect back to the callback URL or the service provider application.
Make sure cookies and javascript are enabled for your browser.
The http://samltool.io tool can decode a SAML assertion and is a useful debugging tool.