Configuring Auth0 as an identity provider

Configuring Auth0 as an identity provider

Notes:

• This guide has been created with the assumption that users have a certain level of familiarity with SAML. Below are the steps for configuring SAML using Auth0 as an IdP (identity provider).
• To configure things on the Auth0 side, you need to have admin Auth0 permissions.
• To configure things on the Flex side, you need to have admin permissions in the Flex account to which you wish to link the IdP.

Obtain information from Flex

1. Log into the Flex account to which you wish to link the IdP.
2. Identify the UUID of this Flex account. This can be found on the corresponding Account Details page in Flex Enterprise.

Configuration steps (Auth0 side)

1. Log into your Auth0 account and click + Create Application.
   
   You must create a new application for each Dalet Flex account that you want to authenticate against.
2. In the Name field, enter a name for your application.
3. In the Choose an application type section, select Regular Web Applications.
4. Click Create.
5. Click the Settings tab. Scroll down to the Allowed Callback URLs section and add the SSO callback URL that you wish to use. This should be like `https://{account}.{your-flex-deployment.com}/login/saml/SSO`.
   
6. Click Save Changes.
7. At the top of the page, click the Addons tab.
8. Select SAML2 Web App. In the Settings tab, provide the Application Callback URL (same as in step 5, above) and set the JSON as follows:
   

   {
       "audience": "urn:ooyala:flex:flex-login-app",
   
       "signResponse": true,
   
       "signatureAlgorithm": "rsa-sha256",
   
       "digestAlgorithm": "sha256"
    }

9. Click Debug and test the JSON. If the JSON is valid, the SAML response will be displayed for the application you have specified.
10. Click Save.
11. In the Settings tab, scroll down and click Show Advanced Settings. Under the Application Metadata tab here, add the key `flexAccountUuid`, using the value of the Flex account UUID you identified earlier.
    
12. Still under Advanced Settings, click the Endpoints tab. Scroll down to the SAML Metadata URL field and copy the URL, or click on it and copy the metadata XML that's downloaded (recommended).
    
    

Configuration steps (Flex side)

1. Log into the Flex account to which you wish to link the IdP.
2. On the Account Details page, click the Metadata sub-tab and expand the External Authentication section.
   Specify values for both the Default Role and Default Owner fields.
3.  Expand the SAML Configuration section. Choose whether you wish to redirect to IdP login page automatically, and
   enter the IdP Display Name to be used on the login page (which will only be visible if IdP Redirect is set to No).
4. Optionally, Enable IdP to Flex Group membership sync. (For this to work correctly, Groups should be configured in Flex with names matching any relevant Groups configured in Okta.)
5. In the SAML Metadata Configuration section, provide either the static IdP metadata (recommended) or the URL from which the IdP metadata can be dynamically retrieved.
6. Click Save, to save the configuration.
7. Click Enable, to enable the account.
8. In another browser, or an incognito window, navigate to Flex. The login page should either redirect to your IdP, or provide an appropriately-titled button allowing you to log in through the IdP, depending on your configuration choices above.