Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

You can configure a application (service provider) to use Auth0 as an . Some commonly used WS-Fed applications are pre-configured in Auth0 and available via Single Sign-On Integrations. If a WS-Fed application is not listed in Integrations, the WS-Fed application configuration can be accessed using the following steps.
  1. Go to Dashboard > Applications > Applications.
  2. Click Create App.
  3. Enter a name, and click Save.
  4. Go to the Addons tab.
    Enabling both SAML and WS-Fed addons for a single client is not supported and may lead to inconsistent behavior. Use a separate client for each addon.
  5. Scroll to WS-Fed Web App, and enter the Application Callback URL. This is your callback URL in the WS-Fed application to which the WS-Fed response will be posted. It may also be called the ACS or Assertion Consumer Service URL in some applications.
  6. Enter the Realm. This is an identifier sent by the WS-Fed application and is used to identify the application in the response.

Configure claims included in the WS-Fed token response

Unlike the Web App addon, the WS-Fed Web App addon does not include configuration settings that allow you to configure the token generated by Auth0. If you need to change the default settings, you can create a post-login Action similar to: 
exports.onExecutePostLogin = async (event, api) => {

  // only apply changes for the WS-Fed application
  if (event.client.name !== 'Your ws-fed application name') {
    return;
  }

  // exclude the upn claim creation (defaults to true)
  api.samlResponse.setCreateUpnClaim(false);

  // exclude the identities array (defaults to true)
  api.samlResponse.setMapIdentities(false);

  // exclude claims that were not explicitly mapped (defaults to true)
  api.samlResponse.setPassthroughClaimsWithNoMapping(false);

  // this is the default mapping. Remove or change as you like.
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier', event.user.user_id);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', event.user.email || null);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', event.user.name || null);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', event.user.given_name || null);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', event.user.family_name || null);
};

Custom domains

To use your WS-Fed apps with a and with Auth0 as the IdP, update your service provider with new identity provider metadata from Auth0. You can obtain the metadata from: https://<YOUR CUSTOM DOMAIN>/wsfed/FederationMetadata/2007-06/FederationMetadata.xml.

Encrypted responses

If you require encrypted responses, you should use SAML to connect to ADFS. To learn more, read Configure ADFS as SAML Identity Provider and Sign and Encrypt SAML Requests.

Learn more