Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Auth0

Configure Auth0 as a SAML 2.0 identity provider for Safeguard via its SAML2 Web App addon.

Auth0

Auth0 can act as either an OIDC provider (see OpenID Connect) or a SAML IdP via its SAML Web App addon.

  1. In the Auth0 dashboard, open (or create) a Regular Web Application, then enable the SAML2 Web App addon under its Addons tab.
  2. In the addon settings, set Application Callback URL to the ACS URL Safeguard shows after Save.
  3. Optionally set audience to the SP Entity ID Safeguard shows after Save — this sets an audience restriction on the assertion, separate from Auth0's own Issuer.
  4. In the addon's Settings (JSON), ensure "mappings" includes "email": "email" so an attribute literally named email is sent — separate from the Login URL/NameID Auth0 derives from the user profile.
  5. On the addon's Usage tab, copy the Identity Provider Login URL and the Issuer (Auth0's own Entity ID, typically urn:<tenant>.us.auth0.com), and download the Identity Provider Certificate.
  6. In Safeguard, click Add Provider → SAML 2.0 → Auth0, and enter the Login URL, Issuer (Entity ID), and Certificate.
  7. Ensure the connections you want (Database, Google, etc.) are enabled for this specific application.
  8. Click Test in Safeguard to confirm.

Common errors: "wrong tenant" issues after saving usually mean the SAML addon was enabled on a different Application than the one you're editing — double-check the addon's Usage tab shows the app you configured.

On this page