In SSO between two application imply that the user identity is validated and maintained by an additional system generally referred to identity provider (IdP). This would allow for the following flow:
- User X accesses App K which asks the IdP to validate the identity of the user.
- The IdP validates the identity of the user, for example, by requesting a username and password.
- The IdP returns an assertion/token to App K proving the identity of the user.
- User X accesses App L which asks the IdP to validate the identity of the user.
- The IdP already has an active session for this user so it immediately returns an assertion/token to App L proving the identity of the user.
The above means the user accesses two applications while only having to actively authenticate one time.
In your specific scenario App K is your own application, App L is Tableau server and the IdP will be your Auth0 account. The implementation will then be constrained by what the client application expect:
- Tableau server expects that the IdP sends a SAML assertion containing an attribute that uniquely identifies the user and also matches a user already configured at Tableau itself.
- Your application will also expect certain requirements, but you did not mention them.
In order to achieve the above, one possibility would be the following:
- create a database connection in Auth0 to represent the end-users; you could consider configuring it as a custom database if you already have user credentials at your own store and you’re not interested in forcing users to reset their passwords.
- configure a client application to represent Tableau; this would use the SAML addon so that Auth0 would know that it should send a SAML assertion to Tableau. You would have to configure the addon in accordance with Tableau requirements, so you would need to check their docs.
- configure a client application to represent your own application; you would have to implement authentication for your client application also through Auth0 (in order to get SSO), but your could a different authentication protocol like OpenID Connect instead of SAML.
In relation to your questions, you can completely disable welcome and verification emails from being sent from your Auth0 account so this would allow you to provide emails for your users without having to worry about emails being sent. If you used a custom database the same set of users already available in your store would be the ones allowed to login. If you used a normal database connection you would need to create the users in Auth0 so that the process is transparent to the end-users, but you could this in one go through the Management API.
The biggest challenges would be that usernames are not case sensitive and to my knowledge this is not configurable. In addition, the email is required so if you don’t have users email in your store this would also require some consideration.