Auth0's SAML SSO integrations allow you to use Auth0 as the Identity Provider for a SaaS application using the SAML protocol. In this lab, you will:
- Create a new SSO integration picked from Auth0's ready-to-use list.
- Configure the SaaS application to use Auth0 as the Identity Provider.
- Test the configured SSO integration.
Why Use SSO Integrations?
Auth0's SSO integrations allow you to implement Single Sign-On easily by simply picking up one of the predefined configurations for the most common SaaS applications.
Auth0's SSO integrations allow you to configure a SaaS application as a Service Provider (SP) trusting Auth0 as the Identity Provider (IdP). Auth0's SSO integrations are based on the SAML protocol.
Once you integrate multiple SaaS applications with Auth0, your company's users will authenticate with Auth0 and access all those applications without re-authenticating.
While SSO integrations improve your users' experience, they also provide more security since users use one account for all the applications, and their accounts are provisioned and de-provisioned in a single point, where the company's security policies can be enforced.
Lab Setup
To follow this lab, you need:
- A Google Workspace admin account. Learn how to get an admin account if you don't have one.
- An Auth0 account to access the Auth0 dashboard. If you don't have an Auth0 account, sign up now to have one for free.
Create a SAML SSO Integration
As a first step, access your Auth0 dashboard and go to Applications > SSO Integrations. You will land on a page like the following:
Now, click the Create SSO Integration button. A list of SSO integrations will be shown, as in the following image:
Filter the list by looking for Google Workspace and select the resulting item. You will see a page with the description of the selected integration:
Click Continue, and you will land on the following screen:
You need to provide the configuration details of your company’s Google Workspace instance. Auth0 needs this data to communicate the result of user authentication.
In the case of Google Workspace, you need to provide three values:
- A name that identifies the SSO integration you are creating;
- The callback URL (i.e., the URL where Auth0 will redirect users after authentication), also known as the Assertion Consumer Service (ACS) URL. In the case of Google, this URL has the form of
https://www.google.com/a/{YOUR-DOMAIN}/acs, where{YOUR-DOMAIN}is a placeholder for your company’s Google Workspace domain. - The audience (i.e., the URI that identifies the intended Service Provider you are connecting to). In the case of Google, it has the same form as the callback URL.
Once you provide the required parameters, click the Save button and you’ll see a set of parameters related to Auth0 as your SAML IdP:
You will use the values of these parameters to configure Google Workspace as a Service Provider.
Configure the SaaS Application
As the next step, you will move to your SaaS application to provide some configuration data that allows the application to acknowledge Auth0 as a SAML Identity Provider.
Since we are using Google Workspace as our SaaS application example, you will access your Google Admin console with an administrator account.
Click the menu icon and select the Security > Authentication > SSO with third party IdP item.
In Third-party SSO profiles, click Add SAML profile and enter a name for the profile.
Consider the values of the parameters shown on the SSO integration page in the Auth0 dashboard:
You will assign the following values to the SAML profile you are creating on the Google Admin console:
- Assign the value of the Issuer field to the field IdP Entity ID.
- Assign the value of the Identity Provider Login URL field to the fields Sign-in page URL, Sign-out page URL, and Change password URL.
- Download the certificate from the URL specified in the field Identity Provider Certificate and upload it tp the SAML profile by clicking the Upload certificate button.
Now, you can click the Save button to complete the configuration of Google Workspace.
Google Workspace will use Auth0 to authenticate your users.
Test the SAML SSO Integration
Now that you have configured Auth0 as your SAML Identity Provider and Google Workspace as your SAML Service Provider, let’s ensure everything works as expected.
As a first step, make sure you have at least one user created in your current Auth0 tenant. These users will be enabled to access Google Workspace through Auth0. If you don’t have any, create one following these steps.
Then, clear your browser history and cookies — this ensures that you are not using an existing authenticated session.
Now, access one of the Google Workspace applications, such as GMail. You should be redirected to the Auth0 login page. After you enter your user’s credentials, you should go back to GMail.
Awesome! Now Auth0 is the Identity Provider for your Google Workspace applications.
Recap
In this lab, you learned how to leverage predefined Auth0's SSO Integrations to allow users authenticated with Auth0 to access SaaS applications. This enables Single Sign-On in your organization since with a single Auth0 account your users can access multiple SaaS applications.
Picking Google Workspace as a SaaS application example, you learned how to configure a predefined SSO integration on the Auth0 dashboard and how to configure the SaaS application by providing the data shown on the SSO integration page.