Deployment Checklist
Auth0 has provided the following deployment checklist for your use. You may not find that every item is applicable, so please modify the checklist based on the needs of your implementation.
| # | Item | Guidance |
|---|---|---|
| DEC10 | Tenant administrators defined Provision tenant administrators |
Manage Tenant Administrators in the Dashboard |
| DEC15 | Tenant administration delegation defined Provision delegated tenant administrator (not applicable if you’re not using tenant Delegated Administration) |
Manage Tenant Administrators in the Dashboard |
| DEC17 | MFA for tenant administrators enabled Enroll tenant administrators for MFA (Multi-factor Authentication) |
Enrolling in Multi-factor Authentication |
| DEC20 | Support URL configured Configure the URL for your company/organization support page and as a best practice for your production tenant deployment |
Tenant Settings in the Dashboard |
| DEC25 | Support email configured Configure the email address used to contact your company/organization support team and as a best practice for your production tenant deployment |
Tenant Settings in the Dashboard |
| DEC30 | Session lifetime limits for SSO configured Configure session lifetime limits for SSO |
Configure Session Lifetime Limits for Single Sign On |
| DEC40 | Tenant wide allowed logout URLs defined Specify logout redirect URLs and not defined as localhost (not mandatory but recommended) |
Redirect Users After Logout |
| DEC50 | Tenant environment tag assigned Assign environment tag for each tenant |
Set the Environment |
| DEC55 | Tenant production checks run Run automated tests on production tenant configuration and address any issues raised (also applicable for non-production tenants) |
How to Run the Production Checks |
| DEC57 | Tenant production checks best practice aligned Align production tenant checks with best practices (also applicable for non-production tenants) |
Production Checks: Best Practices |
| DEC60 | Anomaly detection enabled Protect against brute force attacks and use of breached passwords |
Set Anomaly Detection Preferences |
| DEC70 | Install Auth0 Extensions Install desired extensions into each tenant |
Extensions |
| # | Item | Guidance |
|---|---|---|
| DEC100 | Review user signup policy for database connections Disable user signup where not required (not applicable if your are not using Auth0 database connections) |
Disable user signup if it's not appropriate for each database connection |
| DEC110 | Set password policy for database connections Setup recommended password policy for database connections (not applicable if you are not using Auth0 database connections) |
Set password policy for database connections |
| # | Item | Guidance |
|---|---|---|
| DEC200 | Allow callback URLs defined Specify redirect URLs not defined as localhost. |
Redirect Users After Login |
| DEC210 | Application grant types aligned Disable grant types not required or recommended in your application (not applicable if you are not using OIDC or OAuth2 workflows) |
Available Grant Types |
| DEC220 | Social connection developer keys replaced Complete registration for each social identity provider to mitigate limitations of out-of-box Auth0 Developer Keys (not applicable if you are not using social connections) |
Test Social Connections with Auth0 Developer Keys |
| DEC225 | Social connection identity data reviewed Review data being requested from each social connection (not applicable if you are not using social connections) |
Review requested data |
| DEC230 | RSA-SHA256 used as signature algorithm Configure SAML connections to sign requests and use RSA-SHA256 (not applicable if you are not using SAML) |
Use RSA-SHA256 for SAML connections |
| # | Item | Guidance |
|---|---|---|
| DEC400 | Set password policy for database connections Setup recommened password policy for database connections (not applicable if you are not using Auth0 database connections) |
Set password policy for database connections |
| # | Item | Guidance |
|---|---|---|
| DEC500 | Allowed logout URLs defined Specify logout redirect URLs and not defined as localhost (not mandatory but recommended) |
Redirect users after logout |
| # | Item | Guidance |
|---|---|---|
| DEC800 | Unit testing for Actions Execute integration test(s) prior to automated deployment (also applicable if you are not using CI/CD pipeline, though not required if you are not using Actions extensibility) |
How to unit test Actions as part of CI/CD pipeline |
| DEC810 | Integration test for Actions Execute integration test(s) prior to automated deployment (also applicable if you are not using a CI/CD pipeline, though not required if you are not using Actions extensibility) |
Actions |
| DEC820 | Integration test for custom database scripts Execute integration test(s) when authenticating users using your own database or automatically migrating users prior to automated deployment (also applicable if you are not using a CI/CD pipeline, through not required if you have not implemented custom database scripts) |
Custom Database Error Handling and Troubleshooting |
In the Deploy phase, you will deploy the system to either a staging or production environment, where actual users begin to operate and interact with it.
Eventually, you deploy all components of the system to the production environment when you make a live release.