Authenticate by saml for some users

I have an application with auth0 login using the universal login (user-password) and serving users from many companies. I need to provide sso using saml for user from one specific company.
I realize i’ll need to cerate a separate login page for them that will authenticate with their sso via saml, but not sure how to continue from there and how to perform the login to my application with auth0 (having only the email).
Any other solution to this requirement will be appreciated.

1 Like

Welcome @irit !

You would have to create a representation of this SAML connection in your Auth0 dashboard: Connect Your App to SAML Identity Providers

Later, just enable the connection for the app:

Not necessarily - for this application, you can enable both the email&password and SAML connection within the same Login Page.
You can choose how the user will be logging in (you will see the Login Experience view once setting the SAML connection on the Auth0 tenant):

Once this single user chooses to log in with the SAML, it will continue with the SAML provider login page where they will provide credentials. Once authenticated there, the user will be logged in to the app.

Please let us know if this gives you a starting point for your project!

My application serves users from different companies. only some of those companies have SAML identity provider. Also different companies have different identity providers. I can’t let a user the possibility to try and connect via an identity provider of a company he doesn’t belong to. That’s why I though I need a separate login.
Also, as I said, I will need to integrate with multiple identity providers. Can I create multiple connections and how can I make each user use his own provider?

Hi @irit ,

I am checking it further and will update you soon.

Thank you for your patience!

Hi @irit ,

You can create multiple SAML connections and enable them for the client application. There are subscription-based entity limits for connections - when having a moment, please take a look here.

These are the 3 options I isolated:

  1. Home Realm discovery: when entering an email to the Login Page, if there is a match between the user’s email domain and the SAML IdP domain, the user will be redirected to a native IdP login page. If there is no match, the user will be prompted to provide a password (like in the case of an Auth0’s native database connection)

  2. Enable the Organizations feature for the client app, and for each organization (representing your different customers’ companies to which you would assign respective users) enable a relevant SAML IdP.

  3. Create a “discovery” logic on an application level by creating several application instances (as many as different companies your customers are from) that would be available under different URLs so that a user when want to log in, clicks on a link that would redirect them automatically to their relevant SAML IdP. The link would contain the connection query parameter with the name of a SAML connection name you set in the Auth0 dashboard.

A link Example:
https://subdomain.eu.auth0.com/authorize?client_id=iALdRmtyxxxxxxxxVR89&connection=name_of_your_saml_connection&scope=openid+profile+email+offline_access&redirect_uri=http%3A%2F%2Flocalhost%3A3000&audience=http%3A%2F%2Flocalhost%3A5000&response_type=code&response_mode=query

Please let us know which option suits best your business requirement and if you have any other questions on that!

Hope this gives you an overview of what’s available!

I think you can
Configure Auth0 as a SAML Service Provider for the specific company. This lets them authenticate with their SSO.
Upon successful SAML login, map the user’s email from the SAML assertion to your existing Auth0 user or create a new one. This links the SSO login to your application.

Thank you Marcelina for the detailed and informative response.
Using Enterprise and Organization features means we’ll need to upgrade our subscription and pay significantly more. We’re trying to avoid it for now.
I did find in the links you sent the [Authentication (B2B)](HRD through Universal Login using the Identifier to Realm Map) option. This option is also mentioned here Identifier first Universal Login for SAML users without HRD - #2 by shunsuke.tsutsui
This seems like the best option at the moment.
Can you please explain how i can implement this (already configured Universal Login to Identifier First Authentication):

  1. Regarding the endpoint that gets an email and returns a connection - what is the exact configuration of the endpoint (HTTP method, query params, body and return value)
  2. Where do i set the endpoint, so the Universal Login will call it after the email is entered by the user.
  3. I didn’t understand if the Universal Login handles the endpoint response. Should I do something in my app (i’m using @auth0/auth0-spa-js package and not calling authorize directly)