Custom SSO SAML Integration with Auth0 as SP

I am fairly new to SSO as this is my first time setting up an integration with an IdP. We already have Auth0 as our SP and IdP for our standard web app, but we are exploring the option of letting customers bring their own SAML IdP for SSO use. Here is our current implementation of Auth0:

Couple things to note about our implementation:

  1. We don’t use any of Auth0’s login pages
  2. We use Auth0’s authentication API to perform the login attempt via our API.

With all that being said, I am not 100% sure how to implement Auth0 as our SP for SSO. What makes sense to me and my current auth flow would be something like this:

I followed the setup listed here to configure a test Auth0 tenant as my IdP. I can get all the way to receiving the SAML Response from the IdP (both using test html app in the docs and my own app as the POST redirect from the IdP). I’ve poured over the SSO docs on Auth0’s site, but couldn’t find anything that looked super specific to my use case.

Is it possible to accomplish what I am thinking in my second diagram? If not, what is the best solution to get the user from the SAML response?

I found this endpoint, but I am not sure if that is what I am looking for either. I will try it, though. (Authentication API Explorer)

Thanks!

Hey @davidhouseknechtdev, when Auth0 acts as the SAML SP, it should sit between your app and the IdP. The flow will look like this:

Note that for [1] the user doesn’t need to see Auth0’s login page. It would be an /authorize call to your Auth0 tenant and importantly it needs the query parameter connection=CONNECTION_NAME so Auth0 will immediately redirect to the IdP without showing a login page. You can use an Auth0 SDK to do the redirect - or build the /authorize URL by yourself. Won’t go into detail here since that’s a different topic - but hope you get an idea of the flow now.

1 Like

Thanks for helping on this one Thameera!

Thanks @thameera, and yes that flow will work perfect for my needs. I was having trouble with configuring it to do that, though. After more debugging, I think I was getting tripped up with the “Try It Out” option on the SAML Authentication Connection menu. That was posting directly back to the “tester” page with the SAML response. I think if I try to build out the entire /authorize url with the correct callback, it will work.

I will try that this weekend and post back here with my results.

Perfect! Let us know any other questions you have down the road!