Self-Service Single Sign-On
Self-Service Single Sign-On (SSO) provides business-to-business customers with the tools needed to delegate SSO setup to their enterprise customers. By delegating this task, you can streamline your onboarding process and grant customers more autonomy over their sign-on experience. You can also reduce the time and costs associated with managing SSO across your customer base.
Self-Service SSO requires minimal configuration in your Auth0 tenant and provides your customers with a setup assistant that guides them through the enablement process. After a customer completes their setup, the SSO integration is automatically added to your tenant as an Enterprise connection.
Supported Providers
During the Early Access period, Self-Service SSO supports the following identity providers:
Okta Workforce Identity Cloud (using OIDC)
Entra ID
Google Workspace (using OIDC)
Keycloak
Microsoft Active Directory Federation Services (ADFS)
Generic OIDC
Generic SAML
How it works
Self-Service SSO uses the following components to delegate setup to your customers:
Self-service profile: Defines key elements of customer SSO implementations, such as the identity providers they can use for SSO and which user attributes they must capture, such as email.
Self-service access ticket: Grants customer admins access to the SSO setup assistant and sets specific details for their resulting SSO integration.
SSO setup assistant: Guides customer admins through the SSO setup process.
At a high level, the Self-Service SSO workflow includes the following tasks:
You (the Auth0 customer) create a self-service profile in your tenant using the Auth0 Dashboard or the Management API.
Using the Management API, you next create a self-service access ticket that allows customer admins to configure SSO.
You retrieve the ticket URL from the asset created in Step 2 and send this link to your customer admin.
Your customer admin launches the SSO setup assistant and follows the steps provided to create an application with their identity provider.
A new Enterprise connection pointing to the customer’s application is added to your Auth0 tenant.
Select the diagram for an expanded view.
Using Self-Service SSO
The sections below provide expanded steps for configuring a self-service profile in your tenant and creating self-service access tickets to share with customer admins.
Create a self-service profile
You can create self-service profiles using the Auth0 Dashboard or the Management API. Self-service profiles are used to determine key elements of customer implementations, including:
Which identity providers customer admins can use for SSO.
Which user attributes they must capture through SSO, such as email or family name.
Branding options that customize the look and feel of the SSO setup assistant.
You can create multiple profiles as needed to accommodate different customers or segments.
To create a self-service profile on the Auth0 Dashboard:
Navigate to Authentication > Enterprise and open the Self-Service SSO section. Then, select Create Profile.
In the space provided, enter a name and optional description for the profile. Then, select Create.
On the Settings tab, complete the sections below. After updating these sections, select Save.
Identity Providers: Enable one or more identity providers. In the SSO setup assistant, customer admins can select their preferred option from the list of enabled providers.
Branding: Provide a logo and primary color for the SSO setup assistant.
Custom Introduction: Modify or replace the default message as needed. This introduction text displays to customer admins on the landing page of the SSO setup assistant. Your messaging can include basic formatting options, such as bolding or hyperlinks, and is limited to 2000 characters.
On the User Profile tab, add up to 20 user attributes that your customers should capture through SSO, such as email or family name. You can set each attribute as
required
oroptional
.During the setup assistant flow, customer admins will be prompted to map these defined user attributes to their identity provider to ensure the necessary values are passed to Auth0.
To create a self-service profile, first call the Self-Service Profiles endpoint to create the profile. Then, use a PUT call to optionally modify its introduction text.
Create a self-service profile:
Make a POST call to the Self-Service Profiles endpoint.
Specify the following parameters in the request body, as needed:
Parameter | Description |
---|---|
name |
String. Maximum length is 100. A user-friendly name for the self-service profile. This parameter is required. |
description |
String. Maximum length is 140. A description of the service profile. This parameter is optional. |
allowed_strategies |
Array. One or more identity providers that customer admins can use to implement SSO. Options include:
|
user_attributes |
Object. Maximum length is 20. Stores mapping information presented to customer admins during the setup assistant flow. Customer admins are prompted to map these attributes to their identity provider to ensure the specified attributes are passed to Auth0. This parameter is optional. |
user_attributes[].name |
String. Maximum length is 255. Name of the user attribute in Auth0. This parameter is required when defining user_attributes . |
user_attributes[].description |
String. Maximum length is 255. Human-readable description of the user attribute. This parameter is required when defining user_attributes . |
user_attributes[].is_optional |
Boolean. Indicates whether an attribute is optional or required by the customer in order for the application to function.
This parameter is required when defining user_attributes . |
branding |
Object. Used to customize the styling of the SSO setup assistant presented to customer admins. This parameter is optional. |
branding.logo_url |
String. Maximum length is 1024. An HTTPS URL that points to a logo. If provided, this logo displays to the top right of the SSO setup assistant. This parameter is optional. |
branding.colors |
Object. Allows you to set a primary color for certain elements of the SSO setup assistant, such as interactive buttons. This parameter is optional. |
branding.colors.primary |
String. Specifies the hex value of the primary color used for the SSO setup assistant. This parameter is required when defining branding.colors . |
Example Request Body
{
"name": "Example Profile",
"description": "An example profile for all customers",
"allowed_strategies": ["okta","adfs","google-apps"],
"user_attributes": [
{
"name": "email",
"description": "User's email",
"is_optional": false,
}
],
"branding": {
"logo_url": "https://example.com/logo.png",
"colors": {
"primary": "#334455"
}
}
}
Was this helpful?
Customize your introduction text
When a customer admin accesses the SSO setup assistant, they first land on an introduction page that welcomes them to the experience. By default, the following message is provided:
"You are a few simple steps away from setting up SSO. This setup process involves making some changes to your identity provider. Before you begin, open your identity provider in a separate browser tab or window."
You can modify this text by making a PUT call to the Custom Text for Self-Service Profiles endpoint.
Call
PUT /api/v2/self-service-profiles/{id}/custom-text/{language}/{page}
, whereid
is the profile ID of the self-service profilelanguage
is set toen
page
is set toget-started
In the request body, specify the following:
Property Description introduction
String. Maximum length is 2000.
Complete introduction text to display on the landing page of the SSO setup assistant. Text can include basic formatting options, such as bolding or hyperlinks.
Custom text provided through this parameter completely overwrites any previous messaging. For best results, ensure you provide the full message you wish to display to customer admins.
Sending an empty body{}
resets any customized messaging to the default text.In response, the created entity is returned.
Example Call
PUT /api/v2/self-service-profiles/ssp_1234567890/custom-text/en/get-started
{
introduction: "Welcome! With <b>only a few steps</b>, you'll be able to setup your new connection. For assistance, contact <a href="https://www.examplesupportsite.com"> our support team </a>."
}
Was this helpful?
Example Response
{
introduction: "Welcome! With <b>only a few steps</b>, you'll be able to setup your new connection. For assistance, contact <a href="https://www.examplesupportsite.com"> our support team </a>."
}
Was this helpful?
Create self-service access ticket
After creating your self-service profile, you can create a self-service access ticket using the Management API. This ticket provides a customer admin with access to the SSO setup assistant.
Retrieve the ID of the self-service profile you created for your tenant using the Retrieve Self-Service Profiles endpoint.
Call the SSO Access Ticket endpoint using the ID of the self-service profile you previously created in your tenant:
POST /api/v2/self-service-profiles/{id}/sso-ticket
In the request body, specify the following parameters:
Parameter | Description |
---|---|
connection_config |
Object. Provide this option when using an access ticket to create a new SSO connection. connection_config cannot be used in tandem with connection_id . |
connection_config.name |
String. Maximum length is 128. Name for the connection created through the SSO setup assistant. Use of this parameter is required when using connection_config . |
connection_id |
String. Provide this option when using an access ticket to update an existing SSO connection. connection_id cannot be used in tandem with connection_config .ID for the connection that will be updated through the SSO setup assistant. You can retrieve connection IDs through the Authentication section of the Auth0 Dashboard or the Get All Connections endpoint. |
enabled_clients |
String[]. A list of application client IDs to associate with the SSO connection. |
enabled_organizations |
Object[]. A list of organizations to associate with the SSO connection. |
enabled_organizations[].organization_id |
ID of a specific organization to associate with the SSO connection. You can retrieve IDs through the Organizations section of the Auth0 Dashboard, the Get Organizations endpoint, or the Get Organization by Name endpoint. Use of this parameter is required when using enabled_organizations . |
Example Request Body
{
"connection_id": "con_1234567890",
"connection_config": {
"name": "sso-generated-SAML-customer-12"
},
"enabled_clients": [
"AbCdEfGhIJKlmnoPq1RSTUVWXyzA1Bc2",
"ZyXwVuTsRQPonmlJk1HGFEDCBazY1Xw2"
],
"enabled_organizations": [
{
"organization_id": "org_1234567890"
},
{
"organization_id": "org_0987654321"
}
]
}
Was this helpful?
In response, you receive a URL to the self-service access ticket:
{
"ticket": "https://{domain}/self-service/connections-flow?ticket={id}"
}
Was this helpful?
Share this URL with your customer admin to grant them access to the SSO setup assistant. The assistant will then guide them through each step of the SSO setup process.
You can choose to wrap ticket generation in your own self-service portal or send access ticket links to customer admins through email, chat, or another communication channel.
References
APIs
To manage Self-Service SSO, the following Management API endpoints are available:
Rate Limits
When using Self-Service SSO, the following rate limits apply:
Description | Endpoint | Limits |
---|---|---|
Manage SSO profiles | /api/v2/self-service-profiles |
Review the Management API rate limits for your subscription type. |
Create an access ticket | /api/v2/self-service-profiles/{id}/sso-ticket |
Review the Management API rate limits for your subscription type. |
Consume an access ticket | /self-service/connection-flows?ticket={id} |
6 / min / IP |
Load the webapp (including setup assistant) and webapp endpoints | /self-service/* |
50 / min / IP 90 / min / tenant |