This feature is offered as Early Access to Public Cloud Enterprise tenants and as a Beta release to Private Cloud Enterprise tenants.
Security policies allow team owners to configure and implement authentication rules that adhere to your organization’s IT security policies for access to infrastructure systems or applications.

Available Enterprise IdP Connections

Auth0 Teams allows you to connect to your (IdP) to provide single-sign on () for team members.

Add SSO connection (Beta)

You can configure an SSO connection in the Auth0 Teams Dashboard.
Before you add an SSO connection, you need to collect the following information:
  • Your IdP provider (for example: Okta, ADFS, or Google Workspace)
  • Your IdP domain
  • Auth0 Callback URL (https://auth0.auth0.com/login/callback)
  • Your Client ID, Client Secret, Sign-in URL, and Signing Certificate (depending on your IdP)
  1. Go to Security.
  2. Select + Add Connection (Beta), and then select Get Started.
  3. Choose an identity provider, and then select Next.
  4. Follow the instructions to create an application, and then select Next.
  5. Configure your connection, then select Create Connection.
  6. Read the prompt, then select Proceed.
  7. Follow the instructions to grant users and groups access, and then select Next.
  8. Select Test Connection to verify that your connection is configured properly.
  9. When ready, select Enable Connection.
After you enable your connection, it appears in the Available Enterprise IdP Connections section of the Security Policies page.

Configure just-in-time (JIT) provisioning

JIT provisioning enables Auth0 to automatically create an account for team members who log in through an SSO connection.
You must enable Tenant Member Management to configure JIT provisioning.
  1. Go to Security.
  2. Locate the Available Enterprise IdP Connections section.
  3. Enable the JIT Membership toggle for the connection.

Enforce Single Sign On

Auth0 Teams allows you to require team members to log in through one of your Available Enterprise IdP Connections.
To enforce SSO, you must be logged in through an SSO connection and have the Team Owner role.If you are not logged in through an SSO connection, but you have one configured, you can invite yourself to your Auth0 Team on that connection.

Use JIT provisioning

This method allows team members to log in to the SSO connection immediately after it’s enabled, and instructs Auth0 to automatically create an account for them after the first time they log in successfully.
  1. Enable Tenant Member Management.
  2. Enable the JIT Membership toggle for the SSO connection.
  3. Go to the Teams Dashboard’s Settings page and note your team’s permalink value.
  4. Instruct all team members to log out of the Auth0 Teams Dashboard and log in via the SSO connection. The URL structure for the team members to follow is https://accounts.auth0.com/teams/{team-permalink}.
  5. Auth0 automatically creates a new account (on the SSO connection) for each team member.
  6. Assign each team member’s new account the same team role as their old account.
  7. (Optional) Delete each team member’s old account.

Manage team and tenant membership manually

This method allows you to manage team members separately from tenant members. For team members, send a new invitation from the Teams Dashboard and instruct them to accept the invitation using the SSO connection. For tenant members, send a new invitation from the Auth0 Dashboard from each tenant they’re a member of and instruct them to accept the invitation using the SSO connection. After accepting the invitation, Private Cloud Enterprise customers that enforce SSO and/or use Tenant Member Management can click the Continue with Auth0 Teams login button in their Private Cloud .

Configure home-realm discovery (HRD)

If you enable HRD, Auth0 recognizes the domain of the email address a team member enters and directs them to the associated SSO connection.
Before you enable HRD, make sure your team members are prepared!If you’re using Team Member Management and JIT provisioning, notify your team members of the new behavior.If you’re managing team membership manually, ensure all team members have an account on the associated SSO connection and they know how to log in.
  1. Open a ticket with Auth0 Support.
  2. Let them know you’d like to enable HRD for an Auth0 Teams SSO connection, and provide the following information:
    • Your Team Name and Team Permalink
    • The name of the SSO connection
    • The domain associated with the SSO connection