This article describes how to configure Auth0 as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Auth0 environment and your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Auth0 credentials.
To follow this process, you must be able to add applications to your Auth0 environment and be a workplace administrator in your digital workplace.
Sections in this article:
Configuring an Auth0 single sign-on application
Follow these steps to configure a SAML app in your Auth0 environment:
- From your Auth0 dashboard, select the Applications option from the navigation menu.
- While on the Applications page, select + Create Application.
- In the provided Create Application window, enter a name for this new application, select Native as the application type, and then select Create.
- Go to the Addons tab of your application. You can get to this page by going to your applications page (accessed from the sidebar navigation menu) and selecting Addons (</>), located in the row next to the application you created.
- While on the Addons page, select SAML2 WEB APP.
- In the provided SAML2 Web App window, enter the Application Callback URL of your digital workplace, and then select Enable. Your Application Callback URL (Igloo SAML endpoint) is your digital workplace URL followed by
/saml.digest
. For example,https://yourdigitalworkplace.com/saml.digest
. - Go to the Rules page. You can find a link to this page on the sidebar navigation menu.
- While on the Rules page, select + Create Rule.
- Find and select the Remove attribute from a user rule.
- Replace the default script of the Remove attribute from a user rule with:
function (user, context, callback) { const blacklist = [ 'picture', 'user_id' ]; Object.keys(user).forEach(function(key) { if (blacklist.indexOf(key) > -1) { delete user[key]; } }); callback(null, user, context); }
- Save this rule change.
- Go to the Rules page. You can find a link to this page on the sidebar navigation menu.
- While on the Rules page, select + Create Rule.
- Find and select the SAML Attributes mapping rule.
- Replace the default script of the SAML Attributes mapping rule with:
function (user, context, callback) { context.samlConfiguration.mappings = { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "user_metadata.given_name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "app_metadata.family_name" }; callback(null, user, context); }
- Save this rule change.
- Go to the Settings tab of your application. You can get to this page by going to your applications page (accessed from the sidebar navigation menu) and selecting Settings (cog icon) located in the row next to the application you created.
- Scroll to the bottom of the Settings tab and select Show Advanced Settings.
- Go to the Certificate tab of Advanced Settings and select Download Certificate (as a PEM file). You will need this when configuring single sign-on in your digital workplace.
- Go to the Endpoints tab of Advanced Settings and copy the SAML Protocol URL. You will need this when configuring single sign-on in your digital workplace.
Configuring your digital workplace's single sign-on
- Go to your digital workplace and sign in.
- Select Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
- Configure the settings as described in the Configuration settings table below.
- Select Save.
Setting | Description |
---|---|
Connection Name | Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button. |
IdP Login URL |
Copy and paste the SAML Protocol URL from the Auth0 configuration instructions into this field. |
IdP Logout URL |
Enter the SAML Protocol URL from the Auth0 with For example: https://dev-80ve8rc0.auth0.com/logout |
Logout Response and Request HTTP Type | Select Basic. |
Logout Final Redirect URL | Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. |
Binding Type |
Select POST. |
Public Certificate |
Copy and paste the Certificate from the Autho0 configuration instructions into this field. You will need to open the certificate file using a text editor. |
Identity Provider |
Select Other. |
Identifier Type |
Select Email Address. |
Identifier Path |
Enter |
Session Index Path |
Enter |
Email Path |
Enter |
First Name Path |
Enter |
Last Name Path |
Enter |
Drift Time |
Enter |
User creation on Sign in |
Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace. Options include:
When creating new users in your digital workplace this way, they will be created with the following details:
If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.). If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts. |
Sign in Settings |
Select how users sign in to your workplace. Options include:
For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly. |