SAML setup OKTA as Idp and Auth0 as SP

Problem Statement

How to set up SAML between OKTA and Auth0 with OKTA as Idp and Auth0 as Sp?

Solution

OKTA SIDE SETUP:

  1. Sign in to the Okta Developer Console
  2. Go to create App Integration and choose SAML 2.0 from Options
  3. The Single sign-on URL is your Auth0 tenant’s login callback URL. i.e https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME. The connection name will be the name you will give when setting up your SAML Enterprise connection on the Auth0 side. Please be noted that if you use Custom domain with Auth0, it should be your custom domain and not the Auth0 default domain here.
  4. Set the Audience URI (SP Entity ID.) e.g “urn:auth0:YOUR_TENANT{just tenant name}:YOUR_CONNECTION_NAME”
  5. Click Next and then Finish to finish your OKTA application setup
  6. Upon completion, you will be directed to the Sign On page for your newly-created app, here click View SAML Setup Instructions where you will find the identity Provider Single Sign-On URL which looks like https://OKTA_TENANT_DOMAIN.okta.com/app/…/…/sso/saml and X.509 Certificate which you need to download for later upload into Auth0 SAML connection setup
  7. In assignments, assign a user to your OKTA application

Auth0 SIDE SETUP:

  1. Go to your Auth0 Dashboard>Authentication>Enterprise and click on + next to SAML connection
  2. Give the same connection name that is used previously to setup in OKTA Application for the Single sign-on URL and URI
  3. Set the Sign-in URL, which should look something like: https://OKTA_TENANT_DOMAIN.okta.com/app/…/…/sso/saml that you got from OKTA View SAML Setup Instructions previously
  4. Upload the X.509 Certificate downloaded from the OKTA View SAML Setup Instructions screen previously
  5. Click Save Changes on the bottom of the screen
  6. On the Applications tab, toggle on the Applications you would like to add to this connection.
  7. The setup is completed now.
  8. To test this, go to Dashboard>Authentication>Enterprise>SAML> your connection name, hover over to three dots on the right and click on the try connection link.