Common settings

These are the settings used to configure a (IdP).
If you have configured a Custom Domain, you must use your custom domain CNAME in place of the Auth0 domain. To learn more, read Configure Features to Use Custom Domains.

post-back URL

When using IdP-Initiated , make sure to include the connection parameter in the post-back URL: 
https://{yourDomain}/login/callback?connection={yourConnectionName}
If you are using the Organizations feature, you can optionally include an organization parameter containing the organization ID of the desired organization: 
https://{yourDomain}/login/callback?connection={yourConnectionName}&organization={yourCustomersOrganizationId}
In order for users to successfully log-in using this method, the connection must be enabled for the Organization. Additionally, you must either configure auto-membership for the enabled connection or ensure users have membership for the Organization.

Entity ID

The ID of the service provider is: 
urn:auth0:{yourTenant}:{yourConnectionName}
You can create a custom Entity ID using the property connection.options.entityId. To learn more, read Specify a Custom Entity ID. You can obtain the custom Entity ID value using the Get a Connection endpoint: 
curl --request GET \
  --url 'https://{yourDomain}/api/v2/connections/%7ByourConnectionID%7D' \
  --header 'authorization: Bearer {yourAccessToken}'
Replace the ACCESS_TOKEN header value, with a Management APIv2 .

SAML Request Binding

Also called the Protocol Binding, is sent to the IdP from Auth0. If possible, dynamically set the value based on connection.options.protocolBinding:
connection.options.protocolBinding valueSAML Request Binding value
Empty value ("") or not presentHTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-RedirectHTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSTHTTP-POST
If dynamically setting the value isn’t possible, then set as either HTTP-Redirect (default) or HTTP-Post if you selected this option in Protocol Binding.

SAML Response Binding

How the SAML token is received by Auth0 from IdP, set as HTTP-Post.

NameID format

Unspecified.

SAML assertion and response

The SAML assertion, and the SAML response can be individually or simultaneously signed.

SingleLogout service URL

This is where the SAML identity provider will send logout requests and responses: 
https://{yourDomain}/logout
SAML logout requests must be signed by the identity provider.

Signed assertions

Use the following links to obtain the public key in different formats: Download the certificate in the format requested by the IdP.

IdP-initiated Single Sign-on

To learn about IdP-initiated SSO, read Configure SAML IdP-Initiated Single Sign-On.

Metadata

Some SAML identity providers can accept importing metadata directly with all the required information. You can access the metadata for your connection in Auth0 here: 
https://{yourDomain}/samlp/metadata?connection={yourConnectionName}

Organizations

Use the ACS URL for your organization in the federated IdP to start the Organizations login flow. 
https://{yourDomain}/samlp?connection={yourConnectionName}&organization=${yourOrgID}

Learn more