Configure Auth0 as SAML Identity Provider

You can use Auth0 as the identity provider in SAML configurations with SAML 2.0.

Go to Auth0 Dashboard > Applications > SSO Integrations, and select Create SSO Integration.
Choose an SSO identity provider integration, and consent.
Enter a name for your new integration, and select Create.

On the Tutorial view, you will see additional configuration instructions that are specific to the integration you have chosen.

Some of the following integrations make use of the SAML2 Web App addon.

Go to Auth0 Dashboard > Applications > Applications, and select the name of the application to view.
Select the Addons view.
Select SAML2 Web App to view its options. You will see a screen asking you to provide additional configuration information; additional details about the fields and their expected value types are also listed.
Configure the SAML addon, using the instructions on its options screen along with the information available on your configured SSO Integration's Tutorial view.
When done, select Save.

The following instructions explain how to configure Auth0 to serve as an identity provider in a SAML federation.

Get the URL to which the SAML Authentication Assertion should be sent from the service provider. This may be called Assertion Consumer Service URL, the Post-back URL, or Callback URL.

Go to Auth0 Dashboard > Applications > Applications, and select Create Application.
Enter a name for your application (for example, MySAMLApp), select the application type, and select Save.
Scroll to the bottom of the Settings page, and select Show Advanced Settings.
Select the Certificates view, select Download Certificates, and choose PEM format. The certificate will be downloaded to a file called YOUR_TENANT.pem. Save this file; you will need to upload it when you configure the service provider.
Select the Endpoints view, locate SAML Protocol URL, and copy and save it; you will need to provide it to the service provider.
Scroll to the top of the Settings page, and select the Addons view.
Select SAML2 Web App to view its options.
Locate Application Callback URL, and enter the URL of the service provider (or application) to which the SAML assertions should be sent after Auth0 has authenticated the user. This is the Assertion Consumer Service (ACS) URL.
If your service provider is sending multiple ACS URLs in the SAML request, you will need to add them to the allow list by navigating to your Application's Settings view, locating Allowed Callback URLs, and adding them.
Select the SAML Addon's Usage view, which will provide you with the information needed to configure the service provider application.

Add information to the service provider, so it knows how to send SAML-based authentication requests to Auth0. The instructions provided here are generic. You will need to find the appropriate screens and fields on the service provider.

If the service provider supports uploading a metadata file, provide the metadata URL obtained on the SAML Addon's Usage view, above.
If the service provider does not support uploading a metadata file, configure settings manually, using the information from the SAML Addon's Usage view.
- For a Login URL, use the Identity Provider Login URL, which is the URL to which the service provider should send its SAML Authentication Requests.
- If you have a custom domain, use the custom-domain-based URL rather than your Auth0 domain. Instead of using a URL in this format: https://[YOUR TENANT].auth0.com/samlp/CLIENTID?connection=Username-Password-Authentication You will want to use one in this format: https://[YOUR CUSTOM DOMAIN]/samlp/CLIENTID?connection=Username-Password-Authentication.
- If the service provider also has a field for a Logout URL, enter the Identity Provider Login URL again; both login and logout are handled by the same URL.
Download the certificate from the SAML Addon's Usage view and provide it to the service provider. This certificate will be used to validate the signature of the SAML Authentication Assertions sent from Auth0 to the service provider. If the service provider asks for an Issuer, this can also be obtained from the SAML Addon's Usage view.

Once you have completed the above configuration, test the login.

If your application doesn't work the first time, clear your browser history and (ideally) cookies each time before you test. Otherwise, the browser may not pick up the latest version of your HTML page, or it may have stale cookies that impact execution.
To help troubleshoot SSO, capture an HTTP trace of the interaction. Many tools will capture the HTTP traffic from your browser for analysis.
- Search the internet for "HTTP Trace" to find and install a tool.
- Capture the login sequence from start to finish and analyze the trace. Track the sequence of GETs to see how far in the expected sequence you get. You should see a redirect from your original site to the SP and then to the IdP, a post of credentials if you had to log in, then a redirect back to the callback URL or the SP, and then a redirect to the callback URL specified in your application.
Make sure that cookies and JavaScript are enabled for your browser.
Use the http://samltool.io tool to decode a SAML assertion.

Docs