Problem Statement
How to set up SAML between OKTA and Auth0 with OKTA as Idp and Auth0 as Sp?
Solution
Here are the steps to create a Generic SAML Enterprise connection between Okta and Auth0:
Okta Side Setup
- Sign in to the Okta Developer Console
- Go to Create App Integration and choose SAML 2.0 from the options
- In Single sign on URL, enter the Auth0 tenant’s login callback URL, i.e. https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME
- The connection name will be the same name that will be assigned when setting up the SAML Enterprise connection on the Auth0 side
- If a Custom domain has been configured within the tenant, it should be the custom domain that is used in place of YOUR_DOMAIN and not the Auth0 default domain
- Set the Audience URI (SP Entity ID) e.g. “urn:auth0:YOUR_TENANT{just tenant name}:YOUR_CONNECTION_NAME”.
- Click Next and then Finish to complete the Okta application setup
- When done, the login flow will be directed to the Sign On page for the newly-created app.
- Here, click View SAML Setup Instructions, where you will find the Identity Provider Single Sign-On URL, which should look something like: https://OKTA_TENANT_DOMAIN.okta.com/app/…/…/sso/saml and X.509 Certificate, which needs to be downloaded for later use when it will need to be uploaded into the Auth0 SAML connection setup
- Then, in Assignments, assign a user to the Okta application.
Auth0 Side Setup
- Login to the Auth0 Dashboard
- Navigate Authentication > Enterprise
- Click on the + sign next to the SAML connection
- Give the connection the same name used previously to setup the Okta Application for Single sign on URL and URI.
- Set the Sign-in URL, which should look something like:https://OKTA_TENANT_DOMAIN.okta.com/app/…/…/sso/saml that can be found in the OKTA View SAML Setup Instructions
- Upload the X.509 Certificate, which was downloaded from the OKTA View SAML Setup Instructions screen described above
- Click Save Changes at the bottom of the screen
- On the Applications tab, toggle on to create an association between the Application and the desired connection
- The setup is now complete: test by navigating to Dashboard > Authentication > Enterprise > SAML < connection name> , three dots on the right, and Try the connection link