This is a step-by-step guide on how to configure a working Security Assertion Markup Language (SAML) authentication between Auth0 as a Service Provider (SP) and SSOCircle as an Identity Provider (IdP). This type of authentication is also known as Single sign-on (SSO).

Auth0 side

  1. Go to Authentication -> Enterprise

    Authentication Enterprise

  2. Create a new SAML connection

    SAML

  3. Set the following fields:
    • Connection name: ssocircle (can be any name you want)
    • Sign In URL: https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp (can be found here)
    • X509 Signing Certificate (can be found here):
       -----BEGIN CERTIFICATE-----
       MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRF
       MRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMy
       M1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0Np
       cmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEB
       AQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTW
       cY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZE
       ERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv
       /Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTC
       asAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8Gl
       VnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1Ud
       EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj
       YXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA
       1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJ
       Hgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1
       maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPU
       g6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9D
       KDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3h
       iM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55
       u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1j
       o6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsN
       WCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVY
       mnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69
       h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PU
       aLfL63AFVlpOnEpIio5++UjNJRuPuAA=
       -----END CERTIFICATE-----
      
    • Sign Out URL: https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/publicidp (can be found here)
    • Request Template (optional):
     <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
         @@AssertServiceURLAndDestination@@
         ID="@@ID@@"
         IssueInstant="@@IssueInstant@@"
         ProtocolBinding="@@ProtocolBinding@@" 
         Version="2.0">
         <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:auth0:YOUR_TENANT:ssocircle</saml:Issuer>
     </samlp:AuthnRequest>
    

    The Issuer is the Entity ID, the format can be found here.

  4. Click “Create”

  5. Go to the “Mappings” tab and put the following into the text area:
    {
      "email": "EmailAddress",
      "given_name": "FirstName",
      "family_name": "LastName"
    }
    
  6. Go to the “Login Experience” tab

  7. Login Experience Customization -> Home Realm Discovery -> Identity Provider domains: <YOU_DOMAIN>.

    The domain is the one associated with your identity provider. If you specify example.com, all the emails ending with this domain will be authorized by your identity provider (SSOCircle in this case).

  8. Go to the “Applications” tab and enable applications you want to have SAML authentication.

  9. Go to Branding -> Universal Login

    Branding Universal Login

  10. Set Initial Sign-in screen -> Identifier First

    Identifier First

SSOCircle side

  1. Register

  2. Go to Manage Metadata

  3. Click Add new Service Provider:

    • The FQDN of the ServiceProvider: auth0.com
    • Attributes sent in assertion (optional): EmailAddress
    • The SAML Metadata information of your SP: XML returned by https://YOUR_DOMAIN/samlp/metadata?connection=ssocircle (see here)

When the configuration is done the user is redirected to SSOCircle on login to be authenticated.

SAML SSO

The user authenticated by SSOCircle is allowed to log in to the configured application. If the user has not existed before, it’s created with the following user_id: samlp|ssocircle|<SSOCircle_User>, where ssocircle is <YOUR_CONNECTION_NAME>.