Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through setting up OpenID Connect (OIDC) single sign-on between TrueFoundry and Auth0. Once finished, members of your Auth0 tenant can sign in to TrueFoundry through a Login with Auth0 button. For SAML 2.0 instead of OIDC, see SAML with Auth0.

Prerequisites

  • A TrueFoundry tenant with Admin access to Platform → Settings → SSO.
  • An Auth0 tenant with permission to create Applications (Administrator role on the tenant).
You’ll bounce between the Auth0 dashboard and the TrueFoundry SSO settings. Keep both open in adjacent tabs to copy-paste values quickly.

Configuration overview

1

Create a Regular Web Application in Auth0

Register a new application in your Auth0 tenant that TrueFoundry will federate with.
2

Add TrueFoundry's callback URL

Whitelist TrueFoundry’s redirect URI on the Auth0 application.
3

Copy the OIDC credentials into TrueFoundry

Paste the Auth0 Domain, Client ID, and Client Secret into the TrueFoundry SSO form.
4

Test sign-in

Verify that an Auth0 user can sign in to TrueFoundry end-to-end.

Step 1 — Create an application in Auth0

1

Open Applications

Sign in to the Auth0 dashboard as an administrator.In the left navigation, expand Applications and click Applications, then click Create Application in the top-right.
2

Choose the application type

Fill in:
  • Name — a label such as TrueFoundry.
  • Application type — choose Regular Web Applications.
Click Create.
3

Open the Settings tab

On the new application page, click the Settings tab. You’ll use this tab in the next step to register TrueFoundry’s callback URL and copy the credentials.

Step 2 — Add TrueFoundry’s callback URL

1

Add the Allowed Callback URL

On the Settings tab, scroll down to Application URIs and set Allowed Callback URLs to:
https://login.truefoundry.com/oauth2/callback
If you already have other callback URLs registered, append the TrueFoundry URL with a comma — Auth0 accepts a comma-separated list.
2

Save the changes

Scroll to the bottom of the page and click Save Changes.

Step 3 — Copy the OIDC credentials

Still on the Settings tab, scroll up to the Basic Information section.
Auth0 fieldWhere you’ll paste it in TrueFoundry
DomainUsed to build the Issuer URL
Client IDClient ID
Client SecretClient Secret
Click the eye icon next to Client Secret to reveal it, then copy all three values.

Step 4 — (Optional) Enrich the ID token with claims

By default, Auth0’s ID token includes sub, email, and basic profile fields when you request the openid email profile scopes. If you want to send extra information — for example, group memberships — add an Action that decorates the token.
1

Open Actions

In the Auth0 dashboard, expand Actions → Library and click Build Custom.
2

Create a Login flow Action

Give the Action a name such as Add TrueFoundry claims, choose the Login / Post Login trigger, and click Create.
3

Add the claims you need

Paste the snippet below into the editor, then click Deploy:
exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://login.truefoundry.com/";

  if (event.user.email) {
    api.idToken.setCustomClaim("email", event.user.email);
  }

  if (event.authorization && event.authorization.roles) {
    api.idToken.setCustomClaim("groups", event.authorization.roles);
  }
};
4

Add it to the Login flow

Open Actions → Flows → Login, drag your new Action into the flow, and click Apply.
If you add a groups claim, remember to add groups under Scopes when configuring TrueFoundry below.

Step 5 — Configure TrueFoundry

1

Open the SSO settings

In TrueFoundry, go to Platform → Settings → SSO and click Configure.
2

Fill in the SSO form

  • Enabled: turn this on.
  • Name: a label such as Auth0 OIDC.
  • SSO Provider: select Custom.
  • Authentication Configuration: choose OIDC.
  • Client ID: the Client ID from Auth0.
  • Client Secret: the Client Secret from Auth0.
  • Discover endpoints: leave enabled.
  • Issuer URL: 
    https://<your-tenant>.auth0.com/
    Replace <your-tenant> with the Domain from your Auth0 application — for example, https://acme.us.auth0.com/. If you use a custom Auth0 domain, use that instead (for example, https://auth.acme.com/).
    Auth0 issuers must end with a trailing slash. https://acme.us.auth0.com (no slash) will fail validation; https://acme.us.auth0.com/ works.
  • Scopes (optional): leave blank to use the default openid email. Add profile if you want first/last name; add groups if you configured the custom claim above.
3

Save

Click Save. TrueFoundry validates the issuer URL and stores the credentials.

Step 6 — Test single sign-on

  1. Open a private/incognito window and visit your TrueFoundry login page.
  2. Click Login with Auth0 (or whichever button label you chose under Show advanced fields → Button Text).
  3. Authenticate with an Auth0 user.
You should land in the TrueFoundry dashboard. New users are created automatically if JIT provisioning is enabled; otherwise the user must already exist in TrueFoundry or be invited.

Optional next steps

  • Use SAML instead — see SAML with Auth0 for the equivalent SAML 2.0 flow.

Troubleshooting

Almost always a trailing-slash problem. The Auth0 issuer must end with / — use https://<tenant>.auth0.com/, not https://<tenant>.auth0.com. Update the Issuer URL in TrueFoundry and save again.
Auth0 only emits the email claim when the application requests the email scope. The TrueFoundry default already includes it, but if you overrode Scopes, make sure email is in the list — for example, openid email profile.If you still see an empty value, deploy the Add TrueFoundry claims Action from Step 4 to force email into the ID token, and expand Show advanced fields in TrueFoundry to set Email Claim to email.
Auth0 does not send group/role information by default. Deploy the Action from Step 4, add groups under Scopes in TrueFoundry, and re-test. You can verify the claim by decoding the ID token at jwt.io after a successful sign-in.