Most options are the default values. You will just need to press Next in most screens. If metadata import fails for some reason, keep these values at hand. These are the most important configuration parameters:

  • Assertion Consumer Service URL: https://YOUR_AUTH0_DOMAIN/login/callback
  • Logout URL: https://YOUR_AUTH0_DOMAIN/logout
  • HTTP-Redirect binding for SAML Request
  • HTTP-POST binding for SAML Response

If you want IdP-Initiated SSO make sure to include the connection parameter in the Assertion Consumer Service URL: https://YOUR_AUTH0_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME.

Beginning with auth0.js v9.3.4, you must also enable the impersonation flags to use IdP-initiated login.

Impersonation has been deprecated and will not be enabled for customers any longer. The functionality will continue to work for the customers that have it already enabled. If this changes customers will be notified beforehand and given ample time to migrate.

1. Download Auth0 Metadata File

Download the metadata file from here. This will be used in step 3 and it is used to automatically import information about your partner.

2. Create a new SP Connection

Login to PingFederate as an administrator (the URL would be something like https://{your ping server}:{port}/pingfederate/app). Select Create New from the SP Connections section on the left:

3. Configure the SP Connection

Select the Browser SSO Profles as the Connection Type:

Select Browser SSO as the Connection Options:

Upload the metadata file you downloaded in step 1. The Entity ID, Connection Name and the Base URL will be automatically completed based on the information from the metadata file. You can also complete other relevant information from your partner:

4. Configure Browser SSO

Select SP-Initiated SSO and SP-Initiated SLO in SAML Profiles:

Move on to the Assertion Creation section and click on Configure Assertion:

You can leave all defaults for the next two screens. Move on to the IdP Adapter Mapping section:

The last step is to add an IdP Adapter Mapping. This is where users will actually be authenticated. Likely, you already have one configured in your PingFederate installation. Select one, or add a new one.

In principle, Auth0 only requires the NameIdentifier claim. All other attributes will be passed further to the end application.

In this example, we are just using the username from a simple HTML IdP Adapter. No Issuance Criteria are being used.

5. Configure Protocol Settings

All important values for Protocol Settings are imported from the Metadata File. You should see the Assertion Consumer Service URL:

And the Sign-Out URLs. Just click Next to the Allowable SAML Bindings section.

Leave POST and Redirect enabled:

Make sure SAML Assertion is always signed and move on to the end of this section.

6. Configure Credentials

This is the last step for configuring Browser SSO. On Digital Signature Settings, select your signing certificate and make sure you check the option to include it in the <KeyInfo> element:

The last two options to configure are the certificate used to sign incoming requests. Auth0 will not sign SAMLRequests by default. For some reason, there's no way around this setting. Download the Auth0 certificate and upload it here.

7. Activation of the SP Connection

In the last step, you'll see the summary of all your previous settings and an option to set is as Active or Inactive:

In any case, make sure your click the button Save at the bottom of the screen.

You are done! You should see the new SP Connection on the Main screen: