Hide or Remove CDN Endpoint "https://cdn.auth0.com/client/{client_id}"

Problem statement

When switching applications to use the Universal Login flow the SSO connections and associated domains for the application expose a network call to the following endpoint:

https://cdn.auth0.com/client/{client_id}

This call is no longer displayed on the network tab after switching to the Universal Login flow, but the URL is still publicly available.

Solution

The CDN in the URL shows that this link relates to a Content Delivery Network.

A Content Delivery Network (CDN) is a geographically distributed group of servers that caches content close to end users. It allows for the quick transfer of assets needed for loading Internet content, including HTML pages, JavaScript files, stylesheets, images, and videos.

For this reason, it is not possible to disable or hide the public cloud endpoint “https://cdn.auth0.com/client/{client_id}”

A tenant setting, Enable Publishing of Enterprise Connections Information with IdP domains, exists that can be used to manage the scope of information that is published by this endpoint. This setting is used by both Home Realm Discovery and Auth0 Lock : both of these features rely upon a public file that includes enterprise connection information. However, if these features are not used, then it is safe to disable them.

  1. Login to the dashboard.
  2. Navigate to Settings.
  3. Click the Advanced tab.
  4. Scroll down to the Migrations section.
  5. If the option Enable Publishing of Enterprise Connections Information with IdP domains is present for this tenant, toggle it to the Off position.

For more information, refer to Settings (Advanced).

  • When this setting is enabled, it will publish the list of IdP domains
  • When this setting is disabled, it will exclude the list of IdP domain

It is recommended to evaluate the impact of changing this setting by first disabling it in a Development environment.

If the setting Enable Publishing of Enterprise Connections Information with IdP domains is disabled, the list of IdP domains will not be published. However, the list of connections will still be available on the endpoint.

NOTE: One possible concern might be if a connection name is associated with a specific customer. For example, if a customer called “Acme Tech” is assigned a connection called “acme-saml”. However, it is not possible to rename a connection once it has been created.
If exposing this type of information is deemed undesirable, the only option is to create a new ‘anonymous’ connection that is not identified with that customer ( e.g. “xyz-saml” ). Once that has been tested and the required applications configured to use the new connection, the old “acme-saml” connection could be deleted.

Related References