Configure SAML 2.0 single sign-on between TrueFoundry and Auth0 using the SAML2 Web App addon.
This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and Auth0. Once finished, members of your Auth0 tenant can sign in to TrueFoundry through a Login with Auth0 button.For OpenID Connect instead of SAML, see OIDC with Auth0.
Back in your Auth0 application, open the Addons tab.
1
Enable SAML2 WEB APP
Locate the SAML2 WEB APP tile and click it. The Addon: SAML2 Web App dialog opens on the Settings tab.
2
Set the Application Callback URL
In the Application Callback URL field, paste the Single Sign On URL from TrueFoundry (from Step 1).
3
Configure the addon settings JSON
Below the callback URL is a Settings code editor that accepts a JSON object. Paste the snippet below, replacing the audience value with the Audience URI (SP Entity ID) from TrueFoundry:
The defaults work for most setups. The mappings block above renames the SAML attributes to match what TrueFoundry looks for out of the box, and forces email to be the SAML NameID.
4
Enable the addon
Scroll to the bottom of the dialog and click Enable, then Save.
Step 4 — Copy Auth0’s IdP details into TrueFoundry
Re-open the Addon: SAML2 Web App dialog and switch to the Usage tab.
1
Copy the Identity Provider Login URL
From the Usage tab, copy the Identity Provider Login URL. This is the SSO endpoint TrueFoundry will redirect to.
2
Copy the Identity Provider Certificate
Click Download next to Identity Provider Certificate (or copy the <X509Certificate> block from the metadata XML).Open the downloaded .pem file in a text editor and copy the entire contents — including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
3
Paste into TrueFoundry
Return to Settings → Security & Access → SSO in TrueFoundry, edit the SSO configuration you created in Step 1, and set:
Identity Provider Endpoint → the Identity Provider Login URL from Auth0.
X.509 Certificate → the certificate text you copied from the .pem file.
Open a private/incognito window and go to your TrueFoundry login page.
Click Login with Auth0 (or whichever button label you chose under Show advanced fields → Button Text).
Authenticate with an Auth0 user.
If sign-in succeeds you’ll land in the TrueFoundry dashboard. New users are created automatically if JIT provisioning is enabled; otherwise the user must already exist in TrueFoundry or be invited.
'Invalid Signature' or 'Could not validate SAML response'
The certificate copied into TrueFoundry doesn’t match Auth0’s signing certificate. Re-download the Identity Provider Certificate from the addon’s Usage tab and paste the full PEM (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) into TrueFoundry.If you’re pasting from the metadata XML directly, wrap the bare base64 inside the BEGIN/END markers before saving.
'AudienceRestriction' mismatch error
The audience value inside the Auth0 addon’s Settings JSON must exactly match TrueFoundry’s Audience URI (SP Entity ID). Re-copy the value from the TrueFoundry SSO configuration card and update the addon settings.
Sign-in works but the user's email is empty
Auth0’s default SAML mappings emit http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress rather than email. Either:
Keep the mappings block from Step 3 (which renames the attribute to email), or
Expand Show advanced fields in TrueFoundry and set Email Claim to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
The Login button works but the user gets 'no matching user found'
Check the provisioning mode under Settings → Security & Access → Provisioning:
Invite-only — the user must be invited from Access → Users first.
JIT — the user is created on first login automatically.