Setup SSO for Auth0 Sample App With Okta As IdP

Overview

This document will provide the steps to set up Single Sign-On (SSO) for an App built using Auth0 that uses Okta as an IdP. These instructions will use a sample Node JS express web app to demonstrate this SSO setup.

The following should be possible by the end of the setup process.

  1. Log into the app by visiting the application endpoint and using the Okta credentials (SP-initiated flow)
  2. Log into the app by directly login into Okta first and then clicking on the Application tile (IdP-initiated flow)

Applies To

  • Single Sign-On
  • Okta IdP
  • Auth0 SP

Solution

Pre-requisites:

  1. Environment to build and host simple Node JS express application
  2. Auth0 Tenant (Test Application login will be hosted in this tenant)
  3. Sample App (App will be hosted locally)
  4. Okta Org

SSO Using SAML:

AUTH0 TENANT

  1. Log into the Auth0 tenant and create a new application by choosing Regular Web Applications option.
  2. Download the Sample Node JS application and run the following command to start the application. This should start the application on port 3000. Visit endpoint http://localhost:3000 to verify.

npm install && npm start

OKTA TENANT

  1. Go to the Okta Admin Portal and create a new SAML integration from the Applications UI.

  2. Provide a name for the application. For eg: AUTH0-SAML-SSO-APP

  3. Now visit Auth0 Okta As SAML IDP documentation - Configure Okta as SAML Identity Provider and copy the example value of Single Sign-On URL and Audience URI and paste the values in Configure SAML UI in Okta. Replace the {yourAuth0Domain} with the Auth0 tenant name and replace {yourAuth0ConnectionName} with a value that will be used later in the Auth0 tenant as a name for the enterprise SAML connection.

  4. Under the Attribute statements section, add basic attributes mapping as below. This mapping will help create a basic user profile for the Auth0 tenant.

  5. Keep the default settings, finish creating the app, and click Save.

  6. Create a new user in Okta and Assign the new SAML app to this user.

AUTH0 TENANT

  1. Go to Applications > Enterprise and create a new SAML enterprise connection.
  2. Provide the name of the connection exactly the same as the name from Step#5.
  3. Copy the value of the Sign On URL from the Okta tenant and paste the value in the Sign In URL box. For eg:

  1. Download the certificate from the Okta tenant and upload the certificate as X.509 Signing Certificate.
  2. Under the Login Experience tab of the SAML connection setting, enable Display connection as a button and provide a value for the Button Display Name field. For example, Log in with Okta
  3. Under the Applications tab of the SAML connection setting, enable the connection for the App created in Step#1.
  4. Now visit http://localhost:3000 and click on login. You should be redirected to a UI with an Okta login. After providing the valid credentials for the user created in Step#8, you should be logged into the app.

IDP Initiated SSO Setup

AUTH0 TENANT

  1. Navigate to Authentication > Enterprise and open the SAML connection that you created in Step#9.
  2. Under the Idp-Initiated SSO tab, select Accept Requests and select the Default Application as the app created in Step#1.
  3. Select the Response Protocol as OpenID Connect and save the changes.
  4. Open the index.js file of the sample downloaded app and copy/paste the below code.
router.get('/idpLogin', function (req, res, next) {
  // Construct the redirect URL to Auth0's login page
  const authUrl = `http://localhost:3000/login`;
  // Redirect the user to Auth0
  res.redirect(authUrl);
});
  1. Go to the Application settings page and update the Allowed Callback URLs with following values:
http://localhost:3000/idpLogin?connection=saml-okta-test-connection,http://localhost:3000/callback?connection=saml-okta-test-connection
  1. Restart the sample application.
  2. Now login into the Okta tenant with the user created in Step#8 and click on the application tile to initiate SSO.
  3. The user should be successfully logged into the application.