Configure Security Policies
This feature is only available to Public Cloud Enterprise tenants.
Security policies allow team owners to configure and implement authentication rules that adhere to your organization's IT security policies for access to infrastructure systems or applications.
Available Enterprise IdP Connections
Auth0 Teams allows you to connect to your identity provider (IdP) to provide single-sign on (SSO) for team members.
Add SSO connection (Beta)
You can configure an SSO connection in the Auth0 Teams dashboard.
Before you add an SSO connection, you need to collect the following information:
Your IdP provider (for example: Okta, ADFS, or Google Workspace)
Your IdP domain
Auth0 Callback URL (
https://auth0.auth0.com/login/callback)Your Client ID, Client Secret, Sign-in URL, and Signing Certificate (depending on your IdP)
Go to Security.
Select + Add Connection (Beta), and then select Get Started.
Choose an identity provider, and then select Next.
Follow the instructions to create an application, and then select Next.
Configure your connection, then select Create Connection.
Read the prompt, then select Proceed.
Follow the instructions to grant users and groups access, and then select Next.
Select Test Connection to verify that your connection is configured properly.
When ready, select Enable Connection.
After you enable your connection, it appears in the Available Enterprise IdP Connections section of the Security Policies page.
Configure just-in-time (JIT) provisioning
JIT provisioning enables Auth0 to automatically create an account for team members who log in through an SSO connection.
You must enable Tenant Member Management to configure JIT provisioning.
Go to Security.
Locate the Available Enterprise IdP Connections section.
Enable the JIT Membership toggle for the connection.
Enforce Single Sign On
Auth0 Teams allows you to require team members to log in through one of your Available Enterprise IdP Connections.
To enforce SSO, you must be logged in through an SSO connection and have the Team Owner role.
If you are not logged in through an SSO connection, but you have one configured, you can invite yourself to your Auth0 Team on that connection.
Use JIT provisioning
This method allows team members to log in to the SSO connection immediately after it's enabled, and instructs Auth0 to automatically create an account for them after the first time they log in successfully.
Enable Tenant Member Management.
Enable the JIT Membership toggle for the SSO connection.
Instruct all team members to log out of the Auth0 Teams dashboard, and then log in on the SSO connection.
Auth0 automatically creates a new account (on the SSO connection) for each team member.
Assign each team member's new account the same team role as their old account.
(Optional) Delete each team member's old account.
Manage team and tenant membership manually
This method allows you to manage team members separately from tenant members.
For team members, send a new invitation from the Teams dashboard and instruct them to accept the invitation using the SSO connection.
For tenant members, send a new invitation from the Auth0 Dashboard from each tenant they're a member of and instruct them to accept the invitation using the SSO connection.
Configure home-realm discovery (HRD)
If you enable HRD, Auth0 recognizes the domain of the email address a team member enters and directs them to the associated SSO connection.
Before you enable HRD, make sure your team members are prepared!
If you're using Team Member Management and JIT provisioning, notify your team members of the new behavior.
If you're managing team membership manually, ensure all team members have an account on the associated SSO connection and they know how to log in.
Open a ticket with Auth0 Support.
Let them know you'd like to enable HRD for an Auth0 Teams SSO connection, and provide the following information:
Your Team Name and Team Permalink
The name of the SSO connection
The domain associated with the SSO connection