SAML-based federation involves two parties:
- An identity provider (IdP): authenticates users and provides to Service Providers an Authentication Assertion if successful;
- A service provider (SP): relies on the Identity Provider to authenticate users.
Auth0 supports the SAML protocol and can serve as the identity provider, the service provider, or both.
SAML Identity Providers
Some applications (such as Salesforce, Box, and Workday) allow users to authenticate against an external IdP using the SAML protocol. You can then integrate the application with Auth0, which serves as the application's SAML IdP.
Application users will be redirected to Auth0 to log in, and Auth0 can authenticate them using any backend authentication connection, such as an LDAP directory, a database, or another SAML IdP or Social Provider.
Once the user is authenticated, Auth0 returns a SAML assertion to the application that indicates such.
SAML Service Providers
Applications, especially custom ones, can authenticate users against an external IdP using protocols such as OpenID Connect (OIDC) or OAuth 2.0. However, you might want to leverage an enterprise SAML provider for authentication, even if you wrote your application to utilize either protocol.
Auth0 as the SAML Service and Identity Providers
You may opt to use Auth0 as both the SAML Service Provider and SAML Identity Provider.
The following documentation cover the different aspects of SAML configuration:
- Configure Auth0 as a Service Provider
- Configure Auth0 as an Identity Provider
- Configure Auth0 as Both Service and Identity Provider
- SAML Design Considerations
- Supported SAML Options and Bindings
- Special Configuration Scenarios
- Customize SAML Assertions
- Select Between Multiple Identity Providers
- Deprovision Users