I have a scenario where the identity provider and service provider are external to Auth0, but the users of the service provider are managed in Auth0. Would appreciate some guidance and best practices here to see if I should be looking at the Management API v2 and/or Authentication API for the service provider to federate incoming users into Auth0 after a successful saml auth has taken place.
When it comes to authenticate end-users then the API that you should focus is the Authentication API, however, the Management API may be used to perform the initial configuration required to meet the requirements for your scenario. For example, you could use the Management API to create the connection that would represent the external identity provider, however, the Management API is in most cases optional because you can also configure connections in the Auth0 Dashboard.
In other words, in order to provide more concrete recommendations additional information is required. From what’s available, I would say that:
you need to create a connection to represent the external identity provider (this may be a SAML connection, ADFS or other).
you need to create an application to represent the service provider.
This would then allow the service provider to initiate an authentication request (Authentication API) to the Auth0 tenant which would handle interaction with external identity provider (if needed) and then provide an authentication response to the service provider. In this situation the service provider would have very little knowledge of the upstream identity providers as authentication would always be happening through an Auth0 tenant independently of the final identity provider used by the end-user.