> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML with Auth0

> Configure SAML 2.0 single sign-on between TrueFoundry and Auth0 using the SAML2 Web App addon.

This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and Auth0. Once finished, members of your Auth0 tenant can sign in to TrueFoundry through a **Login with Auth0** button.

For OpenID Connect instead of SAML, see [OIDC with Auth0](/docs/platform/sso/auth0/oidc).

## Prerequisites

* A TrueFoundry tenant with **Admin** access to **Settings → Security & Access → SSO**.
* An Auth0 tenant with permission to create **Applications** and configure **Addons**.

<Tip>
  You'll bounce between the **Auth0 dashboard** and the **TrueFoundry SSO settings**. Keep both open in adjacent tabs to copy-paste values quickly.
</Tip>

## Configuration overview

<Steps>
  <Step title="Create the SSO configuration in TrueFoundry">
    Save a SAML SSO configuration in TrueFoundry to surface the **Application Callback URL** and **audience** values Auth0 needs.
  </Step>

  <Step title="Create an Auth0 application">
    Register a new application in your Auth0 tenant that TrueFoundry will federate with.
  </Step>

  <Step title="Enable the SAML2 Web App addon in Auth0">
    Point the addon at TrueFoundry's SP metadata and map `email` and `sub`.
  </Step>

  <Step title="Paste Auth0's IdP details into TrueFoundry">
    Copy the Identity Provider Login URL and signing certificate into the TrueFoundry SSO form.
  </Step>

  <Step title="Test sign-in">
    Verify that an Auth0 user can complete a SAML round-trip.
  </Step>
</Steps>

## Step 1 — Create the SSO configuration in TrueFoundry

<Steps>
  <Step title="Open SSO settings">
    Go to **Settings → Security & Access → SSO**.

    Click the **+** icon labeled **Add New SSO Config**.

    <Frame caption="SSO page in TrueFoundry — click the + icon to add a new SSO configuration">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-add-sso-config.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=f768205b84d9f33ce04a8b8576ab0070" alt="TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted" width="1024" height="263" data-path="images/sso/entra/saml-truefoundry-add-sso-config.png" />
    </Frame>
  </Step>

  <Step title="Fill in the basic fields">
    * **Enabled**: turn this on.
    * **Name**: a lowercase alphanumeric label — for example, `auth0saml`.
    * **SSO Provider**: choose **Custom**.
    * **Authentication Configuration**: select **SAML v2**.

    Leave **Identity Provider Endpoint** and **X.509 Certificate** blank for now — you'll fill them in once Auth0 surfaces those values.
  </Step>

  <Step title="Save to reveal the Single sign-on URL, Audience URI (SP Entity ID), and Relay URL">
    Click **Save**. TrueFoundry displays the values you need for Auth0 on the SSO configuration card:

    | Auth0 field                           | Value from TrueFoundry          |
    | ------------------------------------- | ------------------------------- |
    | **Application Callback URL**          | **Single Sign On URL**          |
    | `audience` in addon **Settings** JSON | **Audience URI (SP Entity ID)** |
    | **Relay State** *(if used)*           | **Relay URL**                   |

    <Frame caption="TrueFoundry SSO configuration card showing the SAML values to copy into Auth0">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-sp-metadata.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=e061fae840c0fa4e8af3c4efe9961a2b" alt="TrueFoundry SSO configuration card displaying Audience URI, Single Sign On URL, Metadata URL, and Relay URL for SAML setup" width="1024" height="391" data-path="images/sso/entra/saml-truefoundry-sp-metadata.png" />
    </Frame>
  </Step>
</Steps>

## Step 2 — Create an Auth0 application

<Steps>
  <Step title="Open Applications">
    Sign in to the [Auth0 dashboard](https://manage.auth0.com/) and click **Applications → Applications** in the left navigation.
  </Step>

  <Step title="Create a new application">
    Click **+ Create Application**. Enter a **Name** such as `TrueFoundry`, select **Regular Web Applications**, and click **Create**.

    <Frame caption="Applications page — click + Create Application">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/auth0/saml-applications-create-application.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=a078a08993e3a80c495d5424c1aae5d7" alt="Auth0 Applications page with the Create Application button highlighted" width="1024" height="436" data-path="images/sso/auth0/saml-applications-create-application.png" />
    </Frame>
  </Step>
</Steps>

## Step 3 — Enable the SAML2 Web App addon

Back in your Auth0 application, open the **Addons** tab.

<Steps>
  <Step title="Enable SAML2 WEB APP">
    Locate the **SAML2 WEB APP** tile and click it. The **Addon: SAML2 Web App** dialog opens on the **Settings** tab.

    <Frame caption="Addons tab — open SAML2 WEB APP">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/auth0/saml-addons-saml2-web-app.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=53431f8cdec9ab03b8396e6ac4ca6c13" alt="Auth0 application Addons tab showing the SAML2 WEB APP tile" width="1024" height="414" data-path="images/sso/auth0/saml-addons-saml2-web-app.png" />
    </Frame>
  </Step>

  <Step title="Set the Application Callback URL">
    In the **Application Callback URL** field, paste the **Single Sign On URL** from TrueFoundry (from Step 1).
  </Step>

  <Step title="Configure the addon settings JSON">
    Below the callback URL is a **Settings** code editor that accepts a JSON object. Paste the snippet below, replacing the `audience` value with the **Audience URI (SP Entity ID)** from TrueFoundry:

    ```json theme={"dark"}
    {
      "audience": "<paste-truefoundry-Audience-URI-SP-Entity-ID-here>",
      "mappings": {
        "email": "email",
        "sub": "user_id",
        "given_name": "given_name",
        "family_name": "family_name",
        "name": "name"
      },
      "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      "nameIdentifierProbes": [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      ]
    }
    ```

    <Tip>
      The defaults work for most setups. The `mappings` block above renames the SAML attributes to match what TrueFoundry looks for out of the box, and forces `email` to be the SAML `NameID`.
    </Tip>

    <Frame caption="Addon Settings — Application Callback URL and Settings JSON">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/auth0/saml-addon-settings.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=6de94c7e003d768b4a91d4d123d95513" alt="Auth0 Addon SAML2 Web App Settings tab showing Application Callback URL and the Settings JSON editor with audience and mappings" width="657" height="884" data-path="images/sso/auth0/saml-addon-settings.png" />
    </Frame>
  </Step>

  <Step title="Enable the addon">
    Scroll to the bottom of the dialog and click **Enable**, then **Save**.
  </Step>
</Steps>

## Step 4 — Copy Auth0's IdP details into TrueFoundry

Re-open the **Addon: SAML2 Web App** dialog and switch to the **Usage** tab.

<Steps>
  <Step title="Copy the Identity Provider Login URL">
    From the **Usage** tab, copy the **Identity Provider Login URL**. This is the SSO endpoint TrueFoundry will redirect to.
  </Step>

  <Step title="Copy the Identity Provider Certificate">
    Click **Download** next to **Identity Provider Certificate** (or copy the `<X509Certificate>` block from the metadata XML).

    Open the downloaded `.pem` file in a text editor and copy the entire contents — including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.

    <Frame caption="Addon Usage — Identity Provider Login URL and certificate download">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/auth0/saml-addon-usage.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=1a847f4bcd343105c38f719b89385c9a" alt="Auth0 Addon SAML2 Web App Usage tab showing Identity Provider Login URL and Download Auth0 certificate link" width="643" height="738" data-path="images/sso/auth0/saml-addon-usage.png" />
    </Frame>
  </Step>

  <Step title="Paste into TrueFoundry">
    Return to **Settings → Security & Access → SSO** in TrueFoundry, edit the SSO configuration you created in Step 1, and set:

    * **Identity Provider Endpoint** → the **Identity Provider Login URL** from Auth0.
    * **X.509 Certificate** → the certificate text you copied from the `.pem` file.

    Click **Save**.
  </Step>
</Steps>

## Step 5 — Test single sign-on

1. Open a private/incognito window and go to your TrueFoundry login page.
2. Click **Login with Auth0** (or whichever button label you chose under **Show advanced fields → Button Text**).
3. Authenticate with an Auth0 user.

If sign-in succeeds you'll land in the TrueFoundry dashboard. New users are created automatically if [JIT provisioning](/docs/platform/user-management#user-provisioning) is enabled; otherwise the user must already exist in TrueFoundry or be invited.

## Optional next steps

* **Use OIDC instead of SAML** — see [OIDC with Auth0](/docs/platform/sso/auth0/oidc) for the equivalent OpenID Connect flow.

## Troubleshooting

<AccordionGroup>
  <Accordion title="'Invalid Signature' or 'Could not validate SAML response'">
    The certificate copied into TrueFoundry doesn't match Auth0's signing certificate. Re-download the **Identity Provider Certificate** from the addon's **Usage** tab and paste the full PEM (including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines) into TrueFoundry.

    If you're pasting from the metadata XML directly, wrap the bare base64 inside the BEGIN/END markers before saving.
  </Accordion>

  <Accordion title="'AudienceRestriction' mismatch error">
    The `audience` value inside the Auth0 addon's **Settings** JSON must exactly match TrueFoundry's **Audience URI (SP Entity ID)**. Re-copy the value from the TrueFoundry SSO configuration card and update the addon settings.
  </Accordion>

  <Accordion title="Sign-in works but the user's email is empty">
    Auth0's default SAML mappings emit `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` rather than `email`. Either:

    * Keep the `mappings` block from Step 3 (which renames the attribute to `email`), or
    * Expand **Show advanced fields** in TrueFoundry and set **Email Claim** to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`.
  </Accordion>

  <Accordion title="The Login button works but the user gets 'no matching user found'">
    Check the provisioning mode under **Settings → Security & Access → Provisioning**:

    * **Invite-only** — the user must be invited from **Access → Users** first.
    * **JIT** — the user is created on first login automatically.
  </Accordion>
</AccordionGroup>
