Auth0 SAML Integration Setup Guide

In this guide, we will cover how to set up Descope as a federated Identity Provider (IdP) to implement authentication for applications that currently use Auth0.

With Descope acting as an SAML Service Provider (SP), you replace Auth0 username and password authentication with Descope authentication, while retaining Auth0 as your identity provider (IdP) and primary user management solution.

To do this, all you will need is:

Once you have the above, simply follow along with this guide to learn how to add Descope Flows to your application.

Setting up your Hosted Auth Page

Note

If you want to use Passkeys, you can download the oidc-flow JSON from our sample app repository, which you can import into your own project.

It is important to use this Flow, as it is designed to make sure the user and their email is always verified when using passkeys as an authentication method for security reasons.

Your flows are automatically hosted with our Descope Auth Hosting Application. To learn more about our hosted app, you can read about it in our Docs page here.

If you're using the oidc-flow.json provided above, edit the query parameter at the end of the Flow Hosting URL like so: https://auth.descope.io/<Project ID>?flow=oidc-flow

You can find this Flow Hosting URL under your OIDC-based Application configuration. If you're using the default OIDC application, the configuration is here

Descope with Auth0 as auth provider flow configuration 2

Note

You should keep this page open, as you're going to need this information for the next part of this blog.

Once your flow is set up and your Flow Hosting URL has been configured, you'll need to connect your flow to Auth0 by setting Descope up as an enterprise OIDC connection.

Descope as an Enterprise Connection

In order to set up Descope as an Enterprise connection with Auth0, you will need to add an Enterprise SAML connection. You can do this under the Authentication -> Enterprise section of your Auth0 admin dashboard.

When you create a new SAML connection, you will be prompted to fill in the following information:

  • Connection Name: Call it Descope
  • Sign In URL: This will be the SSO URL that exists under Identity Provider (IdP) in your Application settings
  • X509 Signing Certificate: The Descope SAML Signing Certificate which you can download by clicking on Download public certificate under Identity Provider (IdP) in your Application settings
  • User ID Attribute: This

Once you've gathered all of this information, put it in the configuration panel as shown below:

Descope OIDC with Auth0 as auth provider Auth0 configuration 1

You'll then need to find your SP Metadata URL, which can be constructed by following the steps in the Auth0 documentation here.

https://YOUR_AUTH0_DOMAIN/samlp/metadata?connection=YOUR_AUTH0_CONNECTION_NAME

Example: https://dev-7ftdf3sadfsdaf.us.auth0.com/samlp/metadata?connection=Descope
  • yourDomain - this is your Auth0 Domain
  • yourConnectionName - the name of the Connection you configured in the previous step (i.e. Descope)

This URL will need to be placed in the Application configuration in the Descope Console, under SP Configuration:

Descope OIDC with Auth0 as auth provider Auth0 configuration 1

The selection toggle at the bottom - Sync user profile attributes at each login - will need to be toggled on if you would like to use Descope as an alternative login method to your traditional Auth0 authentication methods. Otherwise, every time a new user logs in with Descope, an additional user will be created in the Auth0 User Portal, without all of the same permissions and roles that were previously defined for that user.

Descope OIDC with Auth0 as auth provider Auth0 configuration 2

When using this feature, the user will then be prompted to verify their Auth0 account with their normal username and password before the user account details can be merged. That way, a malicious user cannot login with Descope for someone else and gain access to their account.

If you're using a custom login page you've built with Auth0, you will need to add a button or some other way to navigate to where you've embedded the Descope Flow. However, it's likely that you are using the Universal Login Experience that comes with Auth0 -if that's the case, you can navigate to the Login Experience tab and select Display connection as a button.

Descope OIDC with Auth0 as auth provider Auth0 configuration 5

This will allow you to redirect back to your Descope Flow and use Descope to perform the authentication rather than Auth0. Your main login screen will now look something like this:

Descope OIDC with Auth0 testing the completed flow

Once the user clicks on Continue with Descope Passkeys, and logs in, the app will act as though they've logged in with Auth0.

Sample App

If you're interested in seeing how this is implemented in a sample React application, feel free to check out our sample app on GitHub.

If you have any other questions about Descope or our flows, feel free to reach out to us!

Was this helpful?

On this page