Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and Auth0. Once finished, members of your Auth0 tenant can sign in to TrueFoundry through a Login with Auth0 button. For OpenID Connect instead of SAML, see OIDC with Auth0.

Prerequisites

  • A TrueFoundry tenant with Admin access to Platform → Settings → SSO.
  • An Auth0 tenant with permission to create Applications and configure Addons.
You’ll bounce between the Auth0 dashboard and the TrueFoundry SSO settings. Keep both open in adjacent tabs to copy-paste values quickly.

Configuration overview

1

Create an Auth0 application (or use an existing one)

The application acts as the bridge between Auth0 and TrueFoundry.
2

Get the TrueFoundry SAML metadata

Save a placeholder SAML SSO configuration in TrueFoundry to surface the Callback URL and Issuer.
3

Enable the SAML2 Web App addon in Auth0

Point the addon at TrueFoundry’s callback URL.
4

Paste Auth0's IdP details into TrueFoundry

Copy the Identity Provider Login URL and signing certificate into the TrueFoundry SSO form.
5

Test sign-in

Verify that an Auth0 user can complete a SAML round-trip.

Step 1 — Create or pick an Auth0 application

1

Open Applications

Sign in to the Auth0 dashboard and click Applications → Applications in the left navigation.
2

Create or reuse

If you already have an application for TrueFoundry, select it and skip to Step 2.Otherwise click Create Application, enter a Name such as TrueFoundry, select Regular Web Applications, and click Create.

Step 2 — Create the SSO configuration in TrueFoundry

In a second browser tab, open TrueFoundry to generate the Callback URL that the Auth0 addon needs.
1

Open SSO settings

Go to Platform → Settings → SSO and click Configure.
2

Fill in the basic fields

  • Enabled: turn this on.
  • Name: a label such as Auth0 SAML.
  • SSO Provider: choose Custom.
  • Authentication Configuration: select SAML v2.
Leave Identity Provider Endpoint and X.509 Certificate blank for now — you’ll fill them in after Auth0 surfaces those values.
3

Save to reveal the Callback URL and Issuer

Click Save. TrueFoundry displays two values on the SSO row that Auth0 needs:
  • Callback URL — the Assertion Consumer Service (ACS) URL. You’ll paste this into the addon’s Application Callback URL field.
  • Issuer — the SP Entity ID. You’ll add this to the addon’s settings JSON in the next step.

Step 3 — Enable the SAML2 Web App addon

Back in your Auth0 application, open the Addons tab.
1

Enable SAML2 WEB APP

Locate the SAML2 WEB APP tile and click it. The Addon: SAML2 Web App dialog opens on the Settings tab.
2

Set the Application Callback URL

In the Application Callback URL field, paste the Callback URL from TrueFoundry (the ACS URL surfaced in Step 2).
3

Configure the addon settings JSON

Below the callback URL is a Settings code editor that accepts a JSON object. Paste the snippet below, replacing the audience value with the Issuer value from TrueFoundry:
{
  "audience": "<paste-truefoundry-Issuer-here>",
  "mappings": {
    "email": "email",
    "given_name": "given_name",
    "family_name": "family_name",
    "name": "name"
  },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
The defaults work for most setups. The mappings block above renames the SAML attributes to match what TrueFoundry looks for out of the box, and forces email to be the SAML NameID.
4

Enable the addon

Scroll to the bottom of the dialog and click Enable, then Save.

Step 4 — Copy Auth0’s IdP details into TrueFoundry

Re-open the Addon: SAML2 Web App dialog and switch to the Usage tab.
1

Copy the Identity Provider Login URL

From the Usage tab, copy the Identity Provider Login URL. This is the SSO endpoint TrueFoundry will redirect to.
You can also click Download under Identity Provider Metadata to grab the full XML. The two values you need (Login URL and signing certificate) are both contained in the metadata file if you prefer that source of truth.
2

Copy the Identity Provider Certificate

Click Download next to Identity Provider Certificate (or copy the <X509Certificate> block from the metadata XML).Open the downloaded .pem file in a text editor and copy the entire contents — including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
3

Paste into TrueFoundry

Return to Platform → Settings → SSO in TrueFoundry, edit the SSO configuration you saved in Step 2, and set:
  • Identity Provider Endpoint → the Identity Provider Login URL from Auth0.
  • X.509 Certificate → the certificate text you copied from the .pem file.
Click Save.

Step 5 — Test single sign-on

  1. Open a private/incognito window and go to your TrueFoundry login page.
  2. Click Login with Auth0 (or whichever button label you chose under Show advanced fields → Button Text).
  3. Authenticate with an Auth0 user.
If sign-in succeeds you’ll land in the TrueFoundry dashboard. New users are created automatically if JIT provisioning is enabled; otherwise the user must already exist in TrueFoundry or be invited.

Optional next steps

  • Use OIDC instead of SAML — see OIDC with Auth0 for the equivalent OpenID Connect flow.

Troubleshooting

The certificate copied into TrueFoundry doesn’t match Auth0’s signing certificate. Re-download the Identity Provider Certificate from the addon’s Usage tab and paste the full PEM (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) into TrueFoundry.If you’re pasting from the metadata XML directly, wrap the bare base64 inside the BEGIN/END markers before saving.
The audience value inside the Auth0 addon’s Settings JSON must exactly match the Issuer value shown on the TrueFoundry SSO row. Re-copy the Issuer from TrueFoundry and update the addon settings.
Auth0’s default SAML mappings emit http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress rather than email. Either:
  • Keep the mappings block from Step 3 (which renames the attribute to email), or
  • Expand Show advanced fields in TrueFoundry and set Email Claim to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
Check the provisioning mode under Settings → Security & Access → Provisioning:
  • Invite-only — the user must be invited from Access → Users first.
  • JIT — the user is created on first login automatically.