Auth0 Home Blog Docs

Social connect users vs enterprise connect users

Hi,

Problem - I have been looking at Auth0 docs a lot to clearly understand about how users are categorized into Social connect vs Enterprise connect users (the bill aspect for these 2 types of users is different) but can not see a clear distinction so far except my assumption that users coming from Social connect are not enterprise users.

My use case - To accommodate the users of one of our partners to log into our app (Single sign on for our partner’s users). Our partner’s IdP is OpneID Connect compliant.

What did I find so far - Technically, in Auth0, it should be possible to just create a new Custom Social Connect by using their extension (https://auth0.com/docs/extensions/custom-social-extensions) but there is also an option to use OpenID Connect in Auth0’s enterprise connect, which confuses me about which Identity providers are considered social and which ones are considered enterprise.

Why am I looking for this info? - We may not be able to pay for all those users at enterprise user level pricing.

Appreciate any pointers to the information available out there in the docs or sharing of your own.

Thanks a lot in advance,

  • Ravi

OIDC Enterprise is a fairly new offering, making the configuration of such easier than with the Custom Social Connection extension. But basically they’re fulfilling a similar purpose. If the Custom Social Connection extension works fine for you, then you can use it as well.

OIDC Enterprise

  • part of the Auth0 core product
  • supports OIDC Discovery, easier setup
  • allows to add custom icon to the connection button on the login page
  • no client secret needed
  • requires at least openid scope
  • counts as Enterprise connection (pricing-wise, as of today) <-- which is what you’re asking for

Custom Social Connection

  • not part of the Auth0 core product, but an extension
  • allows to add custom headers
  • allows full control over the “Fetch user profile script”
  • does not require openid scope, can therefore be just a plain oauth2 connection
  • doesn’t count as Enterprise connection (pricing-wise, as of today) <-- which is what you’re asking for

Our partner’s IdP is OpenID Connect compliant. What did I find so far - Technically, in Auth0, it should be possible to just create a new Custom Social Connect by using their extension

So, to answer your question: yes, you are right.

Hi @mathiasconradt,

It is still unclear to me why something like a GSuite falls under Enterprise connection if we can also use it as a normal Social connection. This is, I set up a Google Social connection that uses the client ID and secret information from a Google Apps connected to the GSuite we own, and it just works.

Hi @valerio.battaglia,
GSuite is titled “G Suite: Collaboration & Productivity Apps for Business” so it’s obviously a business product / targeted for Enterprises (employees), rather than consumers. That’s the reason it’s under Enterprise Connections.
Sure, if it works with a regular social connection for your use case, that’s fine to use.

Okay, great to hear that @mathiasconradt. So we can sort of limit the Google Social Connection to login only users of our GSuite by hooking them together.
This question that pops in my mind now is, what exactly are the differences between the Google Social Connection and the GSuite Enterprise Connection? What benefits / cons would you have by using one or the other?

Three that come to my mind right now:

(1)
GSuite connections offers this optional flag Sync user profile attributes at each login to be disabled, so that it only syncs attributes once (at first login).

(2)
Another benefit is that you can define “Domain Aliases” in the configuration, which allows for Home Real Discovery.

https://auth0.com/docs/libraries/lock/v11/selecting-the-connection-for-multiple-logins:

Selecting the appropriate Identity Providers from multiple options is called “Home Realm Discovery”.

(3)
GSuite connection allows for extended attributes like groups (isDomainAdmin, isAccountSuspended, agreedToTerms) to be synced, which aren’t in the regular social connection.