Self-Service Single Sign-On
Self-Service SSO is currently available in Limited Early Access. To learn more about Auth0 releases, review Product Release Stages.
Self-Service Single Sign-On (SSO) provides business-to-business customers with the tools needed to delegate SSO setup to their enterprise customers. By delegating this task, you can streamline your onboarding process and grant customers more autonomy over their sign-on experience. You can also reduce the time and costs associated with managing SSO across your customer base.
Self-Service SSO requires minimal configuration in your Auth0 tenant and provides your customers with a setup assistant that guides them through the enablement process. After a customer completes their setup, the SSO integration is automatically added to your tenant as an Enterprise connection.
Supported Providers
During the Early Access period, Self-Service SSO supports the following identity providers:
Okta Workforce Identity Cloud (using OIDC)
Entra ID
Google Workspace (using OIDC)
Microsoft Active Directory Federation Services (ADFS)
Generic OIDC
Generic SAML
How it works
Self-Service SSO uses the following components to delegate setup to your customers:
Self-service profile: Defines the user attributes (e.g., email) your customers must capture through SSO and provides branding for the SSO setup assistant. You can create multiple profiles as needed to accommodate different customers or segments.
Self-service access ticket: Specifies key details for the SSO integration and grants customer admins access to the SSO setup assistant.
SSO setup assistant: Guides customer admins through the SSO setup process.
During the Early Access period, you can only create a single self-service profile for your tenant.
At a high level, the Self-Service SSO workflow includes the following tasks:
You (the Auth0 customer) create a self-service profile in your tenant using the Auth0 Dashboard or the Management API.
Using the Management API, you next create a self-service access ticket that allows customer admins to configure SSO.
You retrieve the ticket URL from the asset created in Step 2 and send this link to your customer admin.
Your customer admin launches the SSO setup assistant and follows the steps provided to create an application with their identity provider.
A new Enterprise connection pointing to the customer’s application is added to your Auth0 tenant.
Select the diagram for an expanded view.
Using Self-Service SSO
The sections below provide expanded steps for configuring a self-service profile in your tenant and creating self-service access tickets to share with customer admins.
Create a self-service profile
You can create a self-service profile using the Auth0 Dashboard or the Management API.
To create a self-service profile on the Auth0 Dashboard:
Navigate to Authentication > Enterprise and select the Create Profile button.
In the space provided, enter a name and description for the profile. Then, select Create.
On the Settings tab, provide branding details, such as a logo, to customize the SSO setup assistant your customers will use to configure SSO. After updating the fields, select Save.
On the User Profile tab, add up to 20 user attributes your customers should capture through SSO, such as email or family name. You can set each attribute as
requiredoroptional.
During the setup assistant flow, customer admins are prompted to map their specified user attributes to attributes on their identity provider to ensure these values are passed back to Auth0.
To create a self-service profile via the Management API:
Make a POST call to the Self-Service Profiles endpoint.
Specify the following parameters in the request body, as needed:
| Parameter | Description |
|---|---|
name |
String. Maximum length is 100. A user-friendly name for the self-service profile. This parameter is required. |
description |
String. Maximum length is 140. A description of the service profile. This parameter is optional. |
user_attributes |
Object. Maximum length is 20. Stores mapping information presented to customer admins during the setup assistant flow. Customer admins are prompted to map these attributes to their identity provider to ensure the specified attributes are passed to Auth0. This parameter is optional. |
user_attributes[].name |
String. Maximum length is 255. Name of the user attribute in Auth0. This parameter is required when defining user_attributes. |
user_attributes[].description |
String. Maximum length is 255. Human-readable description of the user attribute. This parameter is required when defining user_attributes. |
user_attributes[].is_optional |
Boolean. Indicates whether an attribute is optional or required by the customer in order for the application to function.
This parameter is required when defining user_attributes. |
branding |
Object. Used to customize the styling of the SSO setup assistant presented to customer admins. This parameter is optional. |
branding.logo_url |
String. Maximum length is 1024. An HTTPS URL that points to a logo. If provided, this logo displays to the top right of the SSO setup assistant. This parameter is optional. |
branding.colors |
Object. Allows you to set a primary color for certain elements of the SSO setup assistant, such as interactive buttons. This parameter is optional. |
branding.colors.primary |
String. Specifies the hex value of the primary color used for the SSO setup assistant. This parameter is required when defining branding.colors. |
Example Request Body
{
"name": "Example Profile",
"description": "An example profile for all customers",
"user_attributes": [
{
"name": "email",
"description": "User's email",
"is_optional": false,
}
],
"branding": {
"logo_url": "https://example.com/logo.png",
"colors": {
"primary": "#334455"
}
}
}Was this helpful?
Create self-service access ticket
After creating your self-service profile, you can create a self-service access ticket using the Management API. This ticket provides a customer admin with access to the SSO setup assistant.
Access tickets can only be used once. After a ticket is generated, its URL remains valid for five days. Upon accessing the URL, a customer admin has five hours to complete their setup.
Retrieve the ID of the self-service profile you created for your tenant using the Retrieve Self-Service Profiles endpoint.
Call the SSO Access Ticket endpoint using the ID of the self-service profile you previously created in your tenant:
POST /api/v2/self-service-profiles/{id}/sso-ticket
In the request body, specify the following parameters:
| Parameter | Description |
|---|---|
connection_config |
Object. Provide this option when using an access ticket to create a new SSO connection. connection_config cannot be used in tandem with connection_id. |
connection_config.name |
String. Maximum length is 128. Name for the connection created through the SSO setup assistant. Use of this parameter is required when using connection_config. |
connection_id |
String. Provide this option when using an access ticket to update an existing SSO connection. connection_id cannot be used in tandem with connection_config.ID for the connection that will be updated through the SSO setup assistant. You can retrieve connection IDs through the Authentication section of the Auth0 Dashboard or the Get All Connections endpoint. |
enabled_clients |
String[]. A list of application client IDs to associate with the SSO connection. |
enabled_organizations |
Object[]. A list of organizations to associate with the SSO connection. |
enabled_organizations[].organization_id |
ID of a specific organization to associate with the SSO connection. You can retrieve IDs through the Organizations section of the Auth0 Dashboard, the Get Organizations endpoint, or the Get Organization by Name endpoint. Use of this parameter is required when using enabled_organizations. |
Example Request Body
{
"connection_id": "con_PzXxgqxYD1QryUT2",
"connection_config": {
"name": "sso-generated-SAML-customer-12"
},
"enabled_clients": [
"NaByIDEzMQErqouDb9DWGZSOlqhR8JgO",
"SFwh3of2k09hfywg7lfBTEnEPqZPm0S3
],
"enabled_organizations": [
{
"organization_id": "org_mrW0HjyX5kAfccO6"
},
{
"organization_id": "org_C5NbiK4QBbNc15Yu"
}
]
}Was this helpful?
In response, you receive a URL to the self-service access ticket:
{
"ticket": "https://{domain}/self-service/connections-flow?ticket={id}"
}Was this helpful?
Share this URL with your customer admin to grant them access to the SSO setup assistant. The assistant will then guide them through each step of the SSO setup process.
You can choose to wrap ticket generation in your own self-service portal or send access ticket links to customer admins through email, chat, or another communication channel.
Access tickets can only be used once. After a ticket is generated, its URL remains valid for five days. Upon accessing the URL, a customer admin has five hours to complete their setup.
References
APIs
To manage Self-Service SSO, the following Management API endpoints are available:
Rate Limits
When using Self-Service SSO, the following rate limits apply:
| Description | Endpoint | Limits |
|---|---|---|
| Manage SSO profiles | /api/v2/self-service-profiles |
Review the Management API rate limits for your subscription type. |
| Create an access ticket | /api/v2/self-service-profiles/{id}/sso-ticket |
Review the Management API rate limits for your subscription type. |
| Consume an access ticket | /self-service/connection-flows?ticket={id} |
6 / min / IP |
| Load the webapp (including setup assistant) and webapp endpoints | /self-service/* |
50 / min / IP 90 / min / tenant |