Configuring Auth0 as an IdP Without Using SAML

Knowledge Articles
, , ,
1

Problem Statement

Is there a way to use Auth0 as an IdP without using SAML?

Solution

If you do not wish to use SAML as the protocol you can use OIDC instead.

Assume you want to set up one Auth0 tenant as an OIDC identity provider (IdP) and another tenant as a service provider (SP) that will use the former for authentication.

In this example you have the following tenants:
example-idp.us.auth0.com - the IdP tenant
example-sp.us.auth0.com - the SP tenant

Note:
You can use either the Front channel or the Back channel. The Front channel will use OIDC protocol with response_mode=form_post and response_type=id_token. The Back channel will use response_type=code. In most cases, you will probably want to use Back channel.

IdP tenant configuration:

  1. In the IdP tenant create a standard web application.
  2. (Front channel only) Set the application’s Token Endpoint Authentication Method to None.
  3. Add the SP’s /login/callback endpoint (in this example, https://example-sp.us.auth0.com/login/callback) to the application’s Allowed Callback URLs.
  4. Click Save.

SP tenant configuration:

  1. Go to Connections → Enterprise and create a new OIDC connection.
  2. Set the Issuer URL to the IdP’s .well-known/configuration endpoint (in this example, https://example-idp.us.auth0.com/.well-known/configuration)
  3. Set the Client ID to the client ID of the application you created in the IdP tenant.
  4. (Back channel only) Set the type to Back channel and set the Client Secret to the client secret of the application you created in the IdP tenant.
  5. Click Save.