Configure Single Sign On (SSO)


This tutorial covers configuring Single Sign On (SSO).

For information on SSO Integrations, check out the Single Sign On Integrations page.

1. Configure the connection

Before enabling SSO on an application, create and configure a Connection for each Identity Provider you want to use.

For Social Identity Providers, make sure the Connection is not using developer keys.

2. Configure SSO

Auth0 maintains an SSO session for any user authenticating via that Application. Auth0 maintains two pieces of information:

Setting Description
Inactivity timeout The maximum length of time that can elapse without user activity before the user is asked to log in again. This setting cannot exceed 3 days!
Require log in after The length of time that elapses before Auth0 forces the user to log in again (regardless of activity)

To configure the SSO Cookie Timeout setting, navigate to Dashboard > Tenant Settings > Advanced.

Please note that any time a user performs a new standard login resets the SSO session.

Addendum: SSO Configuration for Legacy Tenants

In addition to the settings available under tenant settings, legacy tenants may see slightly different options available for SSO under Dashboard > Tenant Settings > Advanced.

While all new Auth0 tenants come with seamless SSO enabled, legacy tenants may choose whether to enable this feature.

If you do not choose to Enable Seamless SSO, you have an additional setting available to you under Application Settings.

To see this, navigate to the Applications section of the Dashboard. Click on Settings (represented by the gear icon) for the Application with which you're working. Scroll to the bottom of the page and click Show Advanced Settings.

You have the option to enable or disable the Use Auth0 instead of the IdP to do Single Sign On feature.

3. Check the user's SSO status from the application

Whenever you need to determine the user's SSO status, you'll need to check the following:

  • The Auth0 accessToken, which is used to access the desired resource
  • The expirationDate on the accessToken, which is calculated using the expires_in response parameter after successful authentication on the part of the user

If you don't have a valid accessToken, the user is not logged in. However, they may be logged in via SSO to another associated application. You can determine if this is the case or not by calling the checkSession method of the auth0.js SDK, which will attempt to silently authenticate the user within an iframe. Whether the authentication is successful or not indicates whether the user has an active SSO cookie.

For more detailed information on how to implement this, please refer to Client-Side SSO (Single Page Apps).

The Auth0 OIDC SSO Sample repo is an example of how to implement OIDC-compliant SSO.