OAuth 2.0 Authorization Framework


Most options are the default values. You will just need to press Next in most screens. If metadata import fails for some reason, keep these values at hand. These are the most important configuration parameters:

  • Assertion Consumer Service URL: https://YOUR_DOMAIN/login/callback
  • Logout URL: https://YOUR_DOMAIN/logout
  • HTTP-Redirect binding for Access TokenSAML Request
  • HTTP-POST binding for SAML Response

If you want IdP-Initiated SSO make sure to include the connection parameter in the Assertion Consumer Service URL: https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME.

OAuth roles

1. Download Auth0 Metadata File

The following download will work only if you are logged in to Auth0. You may also need to manually provide the name of the connection in the URL.

Download the metadata file. This will be used in step 3 and it is used to automatically import information about your partner.

Protocol flow

2. Create a new SP Connection

Login to PingFederate as an administrator (the URL would be something like https://{your ping server}:{port}/pingfederate/app). Select Create New from the SP Connections section on the left:

Authorization grant types

3. Configure the SP Connection

Select the Browser SSO Profiles as the Connection Type:

Select Browser SSO as the Connection Options:

Upload the metadata file you downloaded in step 1. The Entity ID, Connection Name and the Base URL will be automatically completed based on the information from the metadata file. You can also complete other relevant information from your partner:

OAuth endpoints

4. Configure Browser SSO

Select SP-Initiated SSO and SP-Initiated SLO in SAML Profiles:

Move on to the Assertion Creation section and click on Configure Assertion:

You can leave all defaults for the next two screens. Move on to the IdP Adapter Mapping section:

The last step is to add an IdP Adapter Mapping. This is where users will actually be authenticated. Likely, you already have one configured in your PingFederate installation. Select one, or add a new one.

In principle, Auth0 only requires the NameIdentifier claim. All other attributes will be passed further to the end application.

In this example, we are just using the username from a simple HTML IdP Adapter. No Issuance Criteria are being used.

Authorization endpoint

5. Configure Protocol Settings

All important values for Protocol Settings are imported from the Metadata File. You should see the Assertion Consumer Service URL:

And the Sign-Out URLs. Just click Next to the Allowable SAML Bindings section.

Leave POST and Redirect enabled:

Make sure SAML Assertion is always signed and move on to the end of this section.

How response type works

6. Configure Credentials

This is the last step for configuring Browser SSO. On Digital Signature Settings, select your signing certificate and make sure you check the option to include it in the <KeyInfo> element:

The last two options to configure are the certificate used to sign incoming requests. Auth0 will not sign SAMLRequests by default. For some reason, there's no way around this setting. Download the Auth0 certificate and upload it here.

How response mode works

7. Activation of the SP Connection

In the last step, you'll see the summary of all your previous settings and an option to set is as Active or Inactive:

In any case, make sure your click the button Save at the bottom of the screen.

You are done! You should see the new SP Connection on the Main screen: