Manage Self-Service SSO
Self-Service Single Sign-On (SSO) provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers.
Self-Service SSO requires minimal configuration in your Auth0 tenant and provides your customers with a self-service assistant that guides them through the enablement process. After a customer completes their setup, the SSO integration is automatically added to your tenant as an Enterprise connection.
Self-Service SSO is only available to B2B customers on Professional or Enterprise plans.
Users with the following Dashboard roles can engage with this feature:
Admin and Editor - Connections users can create and manage self-service profiles.
Viewer - Config users can view self-service profiles only.
To facilitate Self-Service SSO, you will configure the following components using either the Management API or the Auth0 Dashboard:
Self-service profile: Defines key elements of customer SSO implementations, including the identity providers (IdPs) they can use and which user attributes they must capture, such as email. You can create up to 20 profiles in your tenant for different customers or segments.
Self-service access ticket: Grants customer admins access to the self-service assistant and sets specific details for their resulting Enterprise connection. Access tickets allow customer admins to either create new or modify existing connections.
The sections below provide expanded steps for configuring self-service profiles and generating self-service access tickets to share with customer admins.
Create self-service profiles
You can create self-service profiles using the Auth0 Dashboard or the Management API.
Self-service profiles are used to determine key elements of customer implementations, including:
Which identity providers customer admins can use for SSO.
Which user attributes they must capture through SSO, such as email or family name.
Branding options that customize the look and feel of the self-service assistant.
You can create up to 20 profiles as needed to accommodate different customers or segments.
To create a self-service profile on the Auth0 Dashboard:
Navigate to Authentication > Enterprise and open the Self-Service SSO section. Then, select Create Profile.
In the space provided, enter a name and optional description for the profile. Then, select Create.
On the Settings tab, complete the sections below. Then, select Save.
Identity Providers: Enable one or more identity providers. In the self-service assistant, customer admins can select their preferred option from the list of enabled providers.
Branding: Provide a logo and primary color for the self-service assistant.
Custom Introduction: Modify or replace the default message as needed. This introduction text displays to customer admins on the landing page of the self-service assistant. Your messaging can include basic formatting options, such as bolding or hyperlinks, and is limited to 2000 characters.
On the User Profile tab, add up to 20 user attributes that your customers should capture through SSO, such as email or family name. You can set each attribute as
requiredoroptional.During the self-service assistant flow, customer admins will be prompted to map these defined user attributes to their identity provider to ensure the necessary values are passed to Auth0.
To create a self-service profile, first call the Self-Service Profiles endpoint to create the profile. Then, use a PUT call to optionally modify its introduction text.
Create a self-service profile:
Make a POST call to the Self-Service Profiles endpoint.
Specify the following parameters in the request body, as needed:
| Parameter | Required? | Description |
|---|---|---|
name |
Yes | String. Maximum length is 100. A user-friendly name for the self-service profile. |
description |
No | String. Maximum length is 140. A description of the self-service profile. |
allowed_strategies |
No | Array. One or more identity providers that customer admins can use to implement SSO. If no parameters are selected, all are passed by default. Options include:
|
user_attributes |
No | Object. Maximum length is 20. Stores mapping information presented to customer admins during the self-service assistant flow. Customer admins are instructed to map these attributes to their identity provider to ensure the specified attributes are passed to Auth0. |
user_attributes[].name |
Yes, when defining user_attributes. | String. Maximum length is 255. Name of the user attribute in Auth0. |
user_attributes[].description |
Yes, when defining user attributes. | String. Maximum length is 255. Human-readable description of the user attribute. |
user_attributes[].is_optional |
Yes, when defining user attributes. | Boolean. Indicates whether an attribute is optional or required by the customer in order for the application to function.
|
branding |
No | Object. Used to customize the styling of the self-service assistant presented to customer admins. |
branding.logo_url |
No | String. Maximum length is 1024. An HTTPS URL that points to a logo image. If provided, this logo displays to the top right of the self-service assistant. |
branding.colors |
No | Object. Sets a primary color for certain elements of the self-service assistant, such as interactive buttons. |
branding.colors.primary |
Yes, when defining branding.colors. | String. Specifies the hex value of the primary color used for the self-service assistant. |
Example Request Body
{
"name": "Example Profile",
"description": "An example profile for all customers",
"allowed_strategies": ["okta","adfs","google-apps"],
"user_attributes": [
{
"name": "email",
"description": "User's email",
"is_optional": false,
}
],
"branding": {
"logo_url": "https://example.com/logo.png",
"colors": {
"primary": "#334455"
}
}
}Was this helpful?
Customize your introduction text
When a customer admin accesses the self-service assistant, they first land on an introduction page that welcomes them to the experience. By default, the following message is provided:
"You are a few simple steps away from setting up SSO. This setup process involves making some changes to your identity provider. Before you begin, open your identity provider in a separate browser tab or window."
You can modify this text by making a PUT call to the Custom Text for Self-Service Profiles endpoint.
Be aware that this call overwrites any messaging currently set for the self-service profile. Ensure your call includes the complete text you wish to display to your customer admins.
Call
PUT /api/v2/self-service-profiles/{id}/custom-text/{language}/{page}, whereidis the profile ID of the self-service profilelanguageis set toenpageis set toget-started
In the request body, specify the following:
Property Description introductionString. Maximum length is 2000.
Full introduction text to display on the landing page of the self-service assistant. Text can include basic formatting options, such as bolding or hyperlinks.
Custom text provided through this parameter completely overwrites any previous messaging. For best results, ensure you provide the full message you wish to display to customer admins.
Sending an empty body{}resets any customized messaging to the default text.In response, the created entity is returned.
Example Call
PUT /api/v2/self-service-profiles/ssp_1234567890/custom-text/en/get-started
{
introduction: "Welcome! With <b>only a few steps</b>, you'll be able to setup your new connection. For assistance, contact <a href="https://www.examplesupportsite.com"> our support team </a>."
}Was this helpful?
Example Response
{
introduction: "Welcome! With <b>only a few steps</b>, you'll be able to setup your new connection. For assistance, contact <a href="https://www.examplesupportsite.com"> our support team </a>."
}Was this helpful?
Manage self-service access tickets
After creating at least one self-service profile, you can generate self-service access tickets using either the Auth0 Dashboard or the Management API.
Self-service access tickets serve two primary purposes:
Granting customer admins access to the self-service assistant where they can configure a new SSO connection or modify an existing connection.
Predefining key details and behaviors of new SSO connections your customer admins will configure, such as which applications or organizations will be enabled for the new connection.
When generating access tickets, you can also enable certain features such as SAML IdP-initated SSO, home realm discovery, and domain verification.
SAML IdP-initiated SSO
SAML IdP-initiated SSO is a style of implementation that allows identity providers to initiate SSO and redirect users to the service provider for authentication.
When enabling this option for Self-Service SSO, you must provide your default application and response protocol. You can also provide an optional query string to further customize the connection's behavior.
To learn more about these options, review Configure SAML Identity Provider-Initiated Single Sign-On.
Domain verification and home realm discovery
Self-service SSO supports two methods for ensuring customer admins associate verified domains with their connections: domain verification and home realm discovery.
While home realm discovery remains an available option, you can now use domain verification to allow your customers to manage this process themselves, reducing administrative overhead. Domain verification is currently available in Early Access.
Home realm discovery
Home realm discovery allows you to enter a list of known email domains for your customer. Domains specified in this list are automatically considered verified, and the customer admin does not need to complete manual verification.
You can provide a list of domains when generating self-service access tickets for your customer admins through either the Auth0 Dashboard or the Management API.
Auth0 Dashboard: On the Generate Ticket page, use the Home Realm Discovery field to specify your list of domains.
Management API: Use
domain_aliasesto specify your list of domains.
You can only specify domains for home realm discovery when generating access tickets for new connections; you cannot provide this information when using an access ticket to update an existing connection.
Domain verification
Domain verification is a tool for confirming your customers' authenticity and ensuring they provide legitimate domains when setting up SSO. When enabled, customer admins are prompted to manually verify their domains through the self-service assistant. This feature is currently available in Early Access.
You can enable domain verification when generating self-service access tickets through either the Auth0 Dashboard or the Management API:
Auth0 Dashboard: On the Generate Ticket page, use the Domain Verification field to set your level of requirement.
Management API: Use
domain_aliases_config.domain_verificationto set your level of requirement.
Domain verification supports 3 levels of requirement:
Off: When set to Off (or
nonevia the API), the self-service assistant does not prompt a customer admin to verify their domain. Off is the default option for access tickets.Optional: When set to Optional, the self-service assistant prompts the customer admin to verify their domain. The customer admin can choose to either enter their domain for verification or skip the step. In both cases, the customer admin can continue the setup process and enable their connection regardless of its verification status.
Required: When set to Required, the self-service assistant prompts the customer admin to verify their domains. In this case, the customer admin cannot skip this step and must complete domain verification in order to enable their connection.
In some cases, verification may take 24-48 hours to complete. If this occurs, you will need to generate a new access ticket that allows customer admins to modify their SSO connection, as access tickets expire five hours after they are first opened. For more information, review Generate an access ticket for existing connections.
You can enable domain verification when generating access tickets for both new and existing connections.
Generate access tickets for new connections
You can generate access tickets for new connections through either the Auth0 Dashboard or the Management API.
By default, access ticket URLs remain valid for five days after generation. After accessing the ticket URL, the customer admin has five hours to complete their setup. An access ticket URL can be accessed a maximum of 10 times; once this limit is reached, a new access ticket must be requested.
If needed, you can revoke an access ticket prior to its expiration to immediately cease access to the self-service assistant.
To generate an access ticket through the Auth0 Dashboard:
Navigate to Authentication > Enterprise and access the Self-Service SSO section. Then, select the self-service profile with which you want to create an access ticket.
Select Generate Ticket to open the ticket form. Under Select ticket type, choose Create a new connection.
Under Ticket configuration, provide a required name for the connection your customer admin will configure.
In the Settings section, configure additional options as needed for the new connection:
Display Name: A user-friendly name for the connection that displays on Universal Login prompts.
Enabled Clients: A comma-separated list of client IDs to associate with the connection.
Enabled Organizations: A comma-separated list of organization IDs to associate with the connection.
Display connection a as button: Displays the connection as an authentication option on the login screen.
Display connection as a button for organizations: Displays the connection as an authentication option on the login screen for the specified organizations.
Assign membership on login for organizations: Automatically grant organization membership to users who authenticate with the connection.
Enable as a domain level connection: Allow 3rd-party applications to use the connection; requires Dynamic Client Registration.
Accept SAML IdP-initiated SSO: Enables SAML Identity Provider-initiated SSO.
Under Home Realm Discovery, optionally provide a comma-separated list of IdP domains to compare to users’ email domains. For customers to use Home Realm Discovery, you must set Domain Verification to either
OptionalorRequired. For more information, review Home Realm Discovery.Under Time to Live, set an expiration period for the access ticket in seconds. By default, time to live is set to 432000 seconds (which equals five days).
Time to Live determines how long an access ticket URL is active before a customer admin launches the self-service assistant. It does not determine how long the customer admin has access to the assistant after it’s been launched. The expiration of the self-service assistant itself is 5 hours and cannot be configured.
Under Domain Verification, choose your desired level of verification:
Off: When set to Off, customer admins are not prompted to verify their domain when setting up SSO. This option is selected by default for new access tickets.
Optional: When set to Optional, customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
Required: When set to Required, customer admins must verify their domain when setting up SSO. They will not be able to enable their connection until verification is complete.
Under Metadata, add up to 10 metadata associated with the connection.
Review your access ticket configuration for accuracy. Then, select Create Ticket.
A Ticket Information popup containing the access ticket URL then displays. Copy and save this URL somewhere safe, as you cannot retrieve this URL again after closing the popup.
You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review Self-service assistant experience.
To generate an access ticket through the Management API.
Retrieve the ID of the self-service profile you want to associate with the access ticket through the Retrieve Self-Service Profiles endpoint.
Call the SSO Access Ticket endpoint using the ID of the appropriate self-service profile:
POST /api/v2/self-service-profiles/{id}/sso-ticket
In the request body, specify the parameters described in the table below.
| Parameter | Description |
|---|---|
connection_config |
Object. Required when generating an access ticket for a new SSO connection. Customer admins will be able to modify key elements of the connection, such as the SAML certificate or OIDC ID or secret. |
connection_config.name |
Required. String. Name for the connection created through the SSO setup assistant. Maximum length is 128. |
connection_config.display_name |
Optional. String. User-friendly name for the new connection created through the self-service assistant. This name displays on Universal Login prompts. Maximum length is 128. |
connection_config.is_domain_connection |
Optional. Boolean. Set to true if the connection is at the domain level; requires Dynamic Client Registration. |
connection_config.show_as_button |
Optional. Boolean. When true, the connection displays as an authentication option on your application's login screen. |
connection_config.metadata |
Optional. Object[]. Metadata associated with the new connection. Object can contain up to 10 key-value pairs. String values limited to 255 characters. |
connection_config.options |
Optional. Object[]. Options for the new connection, including:
|
connection_config.options.icon_url |
Optional. String. URL of the icon image to use if connection_config.show_as_button is enabled. Must use HTTPS. |
connection_config.options.domain_aliases |
Optional. String[]. Domains to use for home realm discovery. Domains entered into domain_aliases are automatically marked as verified. To have a customer admin verify a domain themselves, do not specify this attribute and instead use domain_aliases_config (described further on in this table). This option allows you to prompt the customer admin to verify their domain through the self-service assistant.For more information, review Domain Verification and Home Realm Discovery. |
connection_config.options.idpinitiated |
Optional. Object. Allows SAML IdP-initiated SSO and includes the following attributes:
For full details, review the SSO Access Ticket endpoint in the Management API Explorer. |
enabled_clients |
Optional. String[]. A list of application client IDs to associate with the new connection. |
enabled_organizations |
Optional. Object[]. A list of organizations to associate with the new connection. |
enabled_organizations[].organization_id |
Required when using enabled_organizations.String. ID of a specific organization to associate with the new connection. You can retrieve IDs through the Organizations section of the Auth0 Dashboard, the Get Organizations endpoint, or the Get Organization by Name endpoint. |
enabled_organizations[].assign_membership_on_login |
Optional. Boolean. When true, users who log in with the new connection are automatically granted membership to the specified organization. |
enabled_organizations[].show_as_button |
Optional. Boolean. When true, the new connection displays as an authentication option on the Organization login screen for your application. |
ttl_sec |
Optional. Number. Number of seconds an access ticket URL remains active before a customer admin launches the self-service assistant. If unspecified or set to 0, the value defaults to 432000 (which equals 5 days).Note that this expiration period does not determine how long a customer admin has access to the self-service after it’s been launched. The expiration of the assistant itself is 5 hours and cannot be configured. |
domain_aliases_config |
Optional. Object. Contains domain_verification which is used to determine whether domain verification is required, optional, or disabled. Options for domain_verification include:
To learn more, review Domain Verification and Home Realm Discovery. |
Example Request Body
{
"connection_config":{
"name":"string",
"display_name":"string",
"is_domain_connection":true,
"show_as_button":true,
"metadata":{
"key1":"value1",
"key2":"value2"
},
"options":{
"icon_url":"string",
"domain_aliases":[
"acme.corp",
"okta.com"
],
"idpinitiated": {
"enabled": true,
"client_id": "string",
"client_protocol": "string",
"client_authorizequery": "string"
}
}
},
"enabled_clients":[
"string"
],
"enabled_organizations":[
{
"organization_id":"string",
"assign_membership_on_login":true,
"show_as_button":true
}
],
"ttl_sec":0,
"domain_aliases_config": {
"domain_verification": "string"
}
}Was this helpful?
In response, you receive a URL to the self-service access ticket:
{
"ticket": "https://{domain}/self-service/connections-flow?ticket={id}"
}Was this helpful?
After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review Self-service assistant experience.
You can wrap access ticket generation in your own self-service portal or send ticket URLs directly to customer admins through email, chat, or other communication channels.
Generate access tickets for existing connections
You can generate access tickets for existing connections through either the Auth0 Dashboard or the Management API.
By default, access ticket URLs remain valid for five days after generation. After accessing the ticket URL, the customer admin has five hours to complete their setup. An access ticket URL can be accessed a maximum of 10 times; once this limit is reached, a new access ticket must be requested.
If needed, you can revoke an access ticket prior to its expiration to immediately cease access to the self-service assistant.
If a customer admin initiates domain verification through the self-service assistant, they may require an additional access ticket to complete the setup process.
Domain verification occurs as the final step of the self-service assistant. At this point in the workflow, the connection has been created but not enabled. If domain verification is required, the customer admin cannot enable their connection until verification is complete.
While verification typically occurs in a timely manner, it may take 24-48 hours in some cases. If this occurs, the customer admin will not be able to use their original access ticket to enable their connection, as tickets expire five hours after they are first accessed.
To complete this process, you can generate an access ticket that allows the customer admin to modify the connection they configured with their initial ticket. When creating this ticket, ensure you specify the Connection ID of the connection they configured with their first access ticket.
To generate an access ticket through the Auth0 Dashboard:
Navigate to Authentication > Enterprise and access the Self-Service SSO section. Then, select the self-service profile with which you want to create an access ticket.
Select Generate Ticket to open the ticket form. Under Select ticket type, choose Edit an existing connection.
Under Ticket configuration, provide the ID of the existing connection you want the customer admin to modify.
Under Domain Verification, choose your desired level of verification:
Off: Customer admins are not prompted to verify their domain when setting up SSO. This option is selected by default for new access tickets.
Optional: Customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
Required: Customer admins must verify their domain when setting up SSO. They will not be able to enable their connection until verification is complete.
Under Time to Live, set an expiration period for the access ticket in seconds. By default, time to live is set to 432000 seconds (which equals five days).
Time to Live determines how long an access ticket URL is active before a customer admin launches the self-service assistant. It does not determine how long the customer admin has access to the assistant after it’s been launched. The expiration of the self-service assistant itself is 5 hours and cannot be configured.
Review your access ticket configuration for accuracy. Then, select Create Ticket.
A Ticket Information popup containing the access ticket URL then displays. Copy and save this URL somewhere safe as you cannot retrieve this URL again after closing the popup.
You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review Self-service assistant experience.
To generate an access ticket through the Management API, follow the steps below.
You cannot update connection_config details for an existing connection through the SSO Access Ticket endpoint. If you need to modify this information for an existing connection, use the Update a Connection endpoint instead.
Retrieve the ID of the self-service profile you want to associate with the access ticket through the Retrieve Self-Service Profiles endpoint.
Call the SSO Access Ticket endpoint using the ID of the appropriate self-service profile:
POST /api/v2/self-service-profiles/{id}/sso-ticketIn the request body, specify the following parameters:
| Parameter | Description |
|---|---|
connection_id |
Required. String. ID of the connection a customer admin can update through the self-service assistant. Customer admins can modify key elements of the connection, such as the SAML certificate or OIDC ID and secret. Connection IDs can be retrieved through the Authentication section of the Auth0 Dashboard or the Get All Connections endpoint.** |
ttl_sec |
Optional. Number. Number of seconds an access ticket URL remains active before a customer admin launches the self-service assistant. If unspecified or set to 0, the value defaults to 432000 (which equals 5 days). Note that this expiration period does not determine how long a customer admin has access to the self-service assistant after it's been launched. The expiration of the assistant itself is 5 hours and cannot be configured. |
domain_aliases_config |
Optional. Object. Contains domain_verification which is used to determine whether domain verification is required, optional, or disabled. Options for domain_verification include:
To learn more, review Domain Verification and Home Realm Discovery. |
Example Request Body
{
"connection_id": "string",
"ttl_sec":0,
"domain_aliases_config": {
"domain_verification": "string"
}
}Was this helpful?
In response, you receive a URL to the self-service access ticket:
{
"ticket": "https://{domain}/self-service/connections-flow?ticket={id}"
}Was this helpful?
After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review Self-service assistant experience.
You can wrap access ticket generation in your own self-service portal or send ticket URLs directly to customer admins through email, chat, or other communication channels.
Revoke an access ticket
By default, an access ticket URL remains valid for five days. Upon accessing the URL, a customer admin has five hours to complete their setup.
If needed, you can revoke an access ticket prior to its expiration. For example, if an access ticket is shared with the wrong audience, you can revoke the ticket to prevent unauthorized access to the self-service assistant.
When you revoke an access ticket, its URL immediately becomes invalid, and any associated sessions are terminated. Customer admins with the URL will no longer be able to access the self-service assistant. You can then generate and share new access tickets as needed.
To revoke an access ticket:
Retrieve the ID of the self-service profile associated with the access ticket using the Retrieve Self-Service Profiles endpoint.
Locate the ID of the access ticket you wish to revoke. IDs can be found at the end of the access ticket URL.
Call the Revoke SSO Access Ticket endpoint using the appropriate IDs:
POST /api/v2/self-service-profiles/{id}/sso-ticket/{id}/revoke
In response, a 202 Accepted is returned.
References
APIs
To manage Self-Service SSO, the following Management API endpoints are available:
Rate Limits
When using Self-Service SSO, the following rate limits apply:
| Description | Endpoint | Limits |
|---|---|---|
| Manage SSO profiles | /api/v2/self-service-profiles |
Review the Management API rate limits for your subscription type. |
| Create an access ticket | /api/v2/self-service-profiles/{id}/sso-ticket |
Review the Management API rate limits for your subscription type. |
| Consume an access ticket | /self-service/connection-flows?ticket={id} |
6 / min / IP |
| Load the webapp (including setup assistant) and webapp endpoints | /self-service/* |
50 / min / IP 90 / min / tenant |