Common settings:

These are the parameters used to configure a SAML Identity Provider:

  • The post-back URL (also called Assertion Consumer Service URL) is: https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME
  • The Entity ID of the Service Provider is: urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME (default value). Use connection.options.entityId if available. You can obtain this value using the Get a connection by its id APIv2 endpoint:

You need to replace the ACCESS_TOKEN header value, with a Management APIv2 Access Token. For information on how to do that see Access Tokens for the Management API.

  • The SAML Request Binding (also called the Protocol Binding): sent to the IdP from Auth0. If possible, dynamically set the value based on connection.options.protocolBinding:
connection.options.protocolBinding value SAML Request Binding value
Empty value ("") or not present HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST HTTP-POST

If dynamically setting the value isn't possible, then set as either HTTP-Redirect (default) or HTTP-Post if you selected this option in Protocol Binding

  • The SAML Response Binding : how the SAML token is received by Auth0 from IdP, set as HTTP-Post
  • The NameID format: unspecified
  • The SAML assertion, and the SAML response can be individually or simultaneously signed.
  • The SingleLogout service URL, where the SAML Identity Provider will send logout requests and responses, is: https://YOUR_DOMAIN/logout. SAML logout requests must be signed by the Identity Provider.

Encrypted assertions:

Optionally, assertions can be encrypted. Use this public key to configure the IdP: CER | PEM | PKCS#7

IdP-initiated Single Sign-on

Click here to learn more about IdP-Initiated Single Sign-on (SSO)


Some SAML Identity Providers can accept importing metadata directly with all the required information. You can access the metadata for your connection in Auth0 here: