Auth0 Home Blog Docs

How do we authenticate our partners users without them implementing a SAML IdP?

saml
sso
authentication
sso-integration

#1

I’m evaluating Auth0 as an SSO solution for authenticating users that come from our partners (we are acting as a Service Provider).

Our partners don’t have the technical capacity to do a SAML IdP implementation. Does Auth0 provide a way to authenticate these users without our partners having to implement an IdP?

I see that there are custom connectors, but I’m not sure if they’re intended to serve this purpose.


#2

Besides the possibility of integrating them using a SAML IdP, you can also integrate them through a custom social connection. This would imply that your partners would have to have an OAuth2 implementation. Although there’s still a requirement, it’s arguable easier to have an OAuth2 implementation than a SAML one.

For more information about the above option check:

As an additional alternative to all of the above it’s also possible to configure custom database connections. In this situation, although the connection type refers to a database, it’s not strictly necessary that an actual typical database exists.

For example, if your partners provide an HTTP API that can validate a username and password credentials associated to their users you would be able to implement a custom database connection that calls into this API in order to authenticate the user. Have in mind that with custom database connection you would most likely have to have additional work on your side because now you would need to know ahead of time which connection does the user authenticate to.


#3

The HTTP Auth option is interesting because it would be quite simple to onboard a new partner. A few questions:

  1. A requirement is to allow a user that’s authenticated on our partners site to access our site without logging in again. With HTTP Auth it sounds like they’ll need to login again when they reach our website. Is it possible to do silent authentication in this case?

  2. How would we pull user profile information from our partner for a user that’s authenticated via HTTP Auth?

I’m currently evaluating various SSO providers and Auth0 looks promising, so your help is appreciated.


#4

The HTTP Auth option is interesting because it would be quite simple to onboard a new partner. A few questions:

  1. A requirement is to allow a user that’s authenticated on our partners site to access our site without logging in again. With HTTP Auth it sounds like they’ll need to login again when they reach our website. Is it possible to do silent authentication in this case?

  2. How would we pull user profile information from our partner for a user that’s authenticated via HTTP Auth?

I’m currently evaluating various SSO providers and Auth0 looks promising, so your help is appreciated.


#5
  1. Given that your partners would not be authenticating through the Auth0 custom database connection when doing login on their own site the SSO would not be feasible for this alternative. You could indeed have SSO if they provided an OAuth2/OIDC implementation.
  2. Pulling user information would again be subject to them making an endpoint available for that purpose.

To really leverage all the built-in features of an authentication service the recommended approach would for your providers to support a standard protocol, either SAML or OAuth2/OIDC.


#6