Connection Settings Best Practices

Here are some best practices for configuring connections. Before you set up connections, take a moment to review what connections are and learn the basics of authentication for your application type.

Use your credentials for social connections

Auth0 provides default credentials for social connections to help you get started. You should replace these temporary credentials with your own to avoid restrictions.

Review requested data

You should review the data you are requesting from each social connection. Users must grant consent for the requested data. Requesting a lot of unnecessary data may result in users declining the authorization request out of privacy concerns.

Set password policy for database connections

Configure the password policy for your Auth0 database connections so created users have strong passwords. You can configure the password policy in the database connection settings on the dashboard or with the Auth0 Management API.

The password policy applies to password resets performed with the Universal Login Page as well as the Auth0 Management API.

Disable user signup if it's not appropriate for each database connection

In your database connection settings, specify if self-service user signups should be enabled. If you enabled this during development, review if you should disable it on production tenants.

Only enable this setting for production tenants if you allow end-users to sign up in a self-service manner. If self-service signup is not allowed, disable the feature. You can then add users to the database connection with the Auth0 Management API.

When using the Organizations feature, you can enable self-service signup for a given database connection in the context of a specific organization. When enabled, users can access a Sign Up link on the login prompt and gain membership to a specific organization upon creating their account. For more information, review Enable Organization Connections.

Review applications enabled for each connection

For each connection, review the list of allowed applications. Make sure there are no unintended authentication paths into an application. By default, new applications may have all of your tenant's connections enabled, which may not be appropriate.

Use RSA-SHA256 for SAML connections

Configure any SAML connections to sign requests and use RSA-SHA256 as the signature algorithm. This ensures the remote SAML Identity Provider can validate whether the authentication requests came from a legitimate application or not.