In our platform we use Self Service SSO Enterprise configuration, so b2b customers can configure their own SSO to our platform.
When creating SSO Ticket (via auth0 npm package, but same for the api), we want to customize “Audience URI (SP Entity ID)” value. By default it’s:
urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME
and we want to modify it, to our own urn / url.
From the official docs ( Connect Your App to SAML Identity Providers - Auth0 Docs , Auth0 Support Center ) this can be done only:
- After a connection is created
- during connection creation, BUT it must be a “regular” connection, and not from the SSO ticket that was generated.
How can I make the Configure Single Sign On guide that our customers open when they want to configure SSO, to show my override of the default auth0 urn?
I cannot first create the connection via Create a connection - Auth0 Docs api, and then edit it, because the strategy is only chosen after I generate the sso ticket.
Thanks
Hi @eden.shaul
Welcome to the Auth0 Community!
Currently, the Auth0 SSO Ticket flow does not support passing a custom SP Entity ID (Audience URI) as a parameter when generating a generic, strategy-agnostic ticket. Because the Auth0-hosted wizard creates the connection on the fly, it defaults to the standard urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME .
When you call POST /api/v2/tickets/sso without providing a specific connection_id , Auth0 generates a generic wizard link.
- The customer opens the link and selects their Identity Provider strategy (e.g., SAML, Azure AD, Okta).
- The moment they select the strategy, the Auth0 backend dynamically creates the connection using standard defaults.
- The wizard then displays the configuration instructions using those defaults (including the standard
urn:auth0: Entity ID).
Because the connection generation is tightly coupled to the customer’s click inside the Auth0-hosted wizard, there is no intercept point for you to inject a custom entityId before the instructions are displayed to the customer. As you correctly pointed out, updating the connection after they complete the wizard is too late, as they will have already configured their IdP with the default URN.
SOLUTION:
To override the Audience URI shown in the setup guide, you must flip the order of operations. You need to create the connection yourself, apply your custom settings, and then generate the ticket for that specific connection.
-
Instead of sending the customer directly to a generic Auth0 SSO ticket, add a simple prompt in your own B2B dashboard: “Which SSO provider are you configuring? (SAML, OIDC, etc.)”
-
When the user selects their strategy (e.g., SAML), your backend immediately calls the Management API (POST /api/v2/connections ) to create the connection.
3.Take the id of the newly created connection and pass it into your SSO ticket request:
{
"connection_id": "con_1234567890",
"enabled_clients": ["YOUR_CLIENT_ID"]
}
- When your customer opens the new SSO ticket link, Auth0 recognizes that the connection already exists. It skips the strategy selection screen, drops them directly into the configuration instructions, and correctly displays your pre-configured, custom Audience URI.
Let me know if I can help out with any other questions.
Kind Regards,
Nik