Configure Auth0 as SAML Identity Provider for OKTA SP

Uncategorized 4 Minutes

By Gapa Ananthakrishnan Mar 4, 2025

If your OKTA protected application requires authentication through an external third-party IDP, such as Auth0, you can follow these steps to connect via SAML. For authentication using OIDC, please refer to the following blog post here

Overview:

Following are the high level steps to complete this configuration

  1. In Okta SP, PreRequisites: Make sure you have a sample application protected by Okta and users from okta universal directory(local users) can login to the application. 
  2. In Auth0 IDP, Configure a new web application and attach a SAML Add-on to act as a SAML IDP.
  3. In Okta SP, Create a new identity provider and configure a routing rule to route traffic to an external IDP with a user name pattern matching condition (for example any user with a domain name *.anyidp@atko.email to route traffic to external IDP, auth0 in this case)
  4. Make sure to go back to the Auth0 IDP dashboard to update the Assertion Consumer Service(ACS) url for the SAML Add-on associated with the web application. 
  5. Self service provision Auth0 test user with user id matching the above routing rule (for example register a new auth0 test user as test.anyidp@atko.email
  6. Test your sample application with this new user and observe SAML assertion from the IDP

Step 1: PreReqs

Configure a test application or the end user dashboard application and login as a test user. Now make sure those test users can login to this application with local credentials stored in OKTA UD. 

Step 2: Configure Auth0 IDP with SAML Add-on to Web App

In this step we will configure Auth0 as an IDP by create SAML WebApp.

  1. Go to the Auth0 dashboard and create a new application by clicking Application > Application > Click + Create Application button, give it a name for the application and select “Regular Web Application” as an application type and click “Create” button to finish creating the application. 
  2. Click on the AddOns tab for the web application, and then click on the SAML2 Web App button to open up the configuration dialog with the “Usage” tab selected by default. Note down(copy) all the necessary information like Issuer, Identity Provider Login URL etc. to configure the OKTA SP in the next step. Also click on Download Auth0 certificate link to download the Auth0 IDP signing certificate, to be used in the next step as well.
  1. Click on the “Settings” tab on top to configure the ACS and attributes mapping from IDP to SP. Use a sample ACS URL for now like https://www.okta.com (we will replace this with OKTA SP ACS Url later on during step #4 below). Also paste the following mapping rules in the Settings section
{
  "audience": "https://www.okta.com/saml2/service-provider/spomaqcpbrfhapiyuuze",
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "lastname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
  1. Scroll down to the bottom and click on the “Enable” button to save and enable this SAML addon configuration.

Step 3: Configure OKTA SP with new identity provider

In this step we will configure OKTA as SP with a new Auth0 identity provider.

  1. Goto okta admin console and navigate to Security > Identity Providers > Click on “Add Identity Provider” button on top of list of identity providers table (list will be empty, if there is none setup already) > Select “SAML 2.0 IDP” button from this list and click “Next
  2. Make sure to provide a name for this provider and then specify “idpuser.subjectNameId” as the IDP Username. 
  1. Select “Automatic” as the Account Linking Policy and select JIT option and others as in the screenshot.
  1. Also, you need to provide IDP metadata (issuer URI, SSO ULR etc) and upload sign-in cert stored from previous step 2 here.
  1. Make sure to uncheck the Sign SAML Authentication Requests option and finally click on the “Finish” button to create the Identity Provider.
  2. Expand the newly created identity provider and copy the ACS url and issuer details from this IDP, we need this info for our next step.

Step 4: Update Auth0 IDP with ACS Url from the OKTA SP

Need to update Auth0 IDP created in the previous step with the OKTA SP ACS Url. To do this…

  1. Go back to the Auth0 dashboard and click on Application > Application > Select the SAML WebApp created in Step 2, then click on the AddOns tab for the web application, and then click on the SAML2 Web App button to open up the configuration dialog with the “Usage” tab selected by default. 
  2. Click on the Settings tab on this popup dialog and change the sample value for Application Callback URL with the value of OKTA SP ACS Url copied in the previous step 3.6.
  3. Scroll down all the way and click the “Save” button to save the SAML configuration. 

Step 5: Create Auth0 Test User

Self service provision a test user with user id matching the above routing rule (for example register a new auth0 test user as test.anyidp@atko.email

Step 6: Test your sample application 

Test your sample application (okta end user dashboard) with this new user created in Auth0. Upon entering the test username in okta, the routing rule should redirect you to Auth0 for authentication. Complete login and see the sample app (dashboard) displays for the Auth0 user. Make sure to inspect the SAML assertion using the SAML Tracer in your browser and observe the name-id and other SAML attributes in the assertion.  

Published by gapaananthakrishnan

Published

Leave a Reply