SAML Identity Provider Configuration Settings

Common settings

These are the settings used to configure a SAML identity provider (IdP).

post-back URL

Also called Assertion Consumer Service URL is:

https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME

Entity ID

The ID of the service provider is:

urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME

Use connection.options.entityId if available. To learn more, read Specify a Custom Entity ID.

You can obtain this value using the Get a Connection endpoint:


curl --request GET \
  --url 'https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID' \
  --header 'authorization: Bearer ACCESS_TOKEN'
var client = new RestClient("https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.get("https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID")
  .header("authorization", "Bearer ACCESS_TOKEN")
  .asString();
var axios = require("axios").default;

var options = {
  method: 'GET',
  url: 'https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID',
  headers: {authorization: 'Bearer ACCESS_TOKEN'}
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer ACCESS_TOKEN" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => [
    "authorization: Bearer ACCESS_TOKEN"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

headers = { 'authorization': "Bearer ACCESS_TOKEN" }

conn.request("GET", "/YOUR_DOMAIN/api/v2/connections/CONNECTION_ID", headers=headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer ACCESS_TOKEN'

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer ACCESS_TOKEN"]

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/api/v2/connections/CONNECTION_ID")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

Replace the ACCESS_TOKEN header value, with a Management APIv2 access token.

SAML Request Binding

Also called the Protocol Binding, is sent to the IdP from Auth0. If possible, dynamically set the value based on connection.options.protocolBinding:

connection.options.protocolBinding value SAML Request Binding value
Empty value ("") or not present HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST HTTP-POST

If dynamically setting the value isn't possible, then set as either HTTP-Redirect (default) or HTTP-Post if you selected this option in Protocol Binding.

SAML Response Binding

How the SAML token is received by Auth0 from IdP, set as HTTP-Post.

NameID format

Unspecified.

SAML assertion and response

The SAML assertion, and the SAML response can be individually or simultaneously signed.

SingleLogout service URL

This is where the SAML identity provider will send logout requests and responses:

https://YOUR_DOMAIN/logout

SAML logout requests must be signed by the identity provider.

Signed assertions

Use the following links to obtain the public key in different formats:

Download the certificate in the format requested by the IdP.

IdP-initiated Single Sign-on

To learn about IdP-initiated SSO, read Configure SAML IdP-Initiated Single Sign-On.

Metadata

Some SAML identity providers can accept importing metadata directly with all the required information. You can access the metadata for your connection in Auth0 here:

https://YOUR_DOMAIN/samlp/metadata?connection=YOUR_CONNECTION_NAME

Learn more