Integrate with Auth0

Enable Single Sign-On with Scalekit and Auth0 via OIDC

This guide walks you through integrating Scalekit with Auth0 to enable Single Sign-On (SSO) authentication for your application's users. You'll learn how to:

• Configure Scalekit to allow enterprise users to log in via Scalekit
• Continue using Auth0 as your identity management solution for user login and session management

Overview of the Workflow

Scalekit is a fully compatible OpenID Connect (OIDC) provider.

This streamlines integration with Auth0, allowing you to:

• Seamlessly integrate Single Sign-On into your application
• Avoid writing additional code

Auth0 will continue serving as your identity management system, handling user login and session management.

note

Auth0 classifies OpenID Connect as an Enterprise Connection, which is only available in paid Auth0 plans. Verify that your current plan includes access to creating Enterprise Connections with OpenID Connect providers.

Considerations

Ensure you have:

To proceed with the integration, ensure you have:

1. Access to the Auth0 Authenticate dashboard
   • You must have an 'Admin' or 'Editor - Connections' role to create and edit OIDC connections on Auth0
2. Access to your Scalekit dashboard

Integrate Scalekit with Auth0

1. Add Scalekit as OIDC connection

To create Scalekit as an OpenID Connect (OIDC) connection for your Auth0 tenant, use the Auth0 Connections API. Here's a sample curl command:

Curl command to add Scalekit as OIDC connection

curl --request POST \
  --url 'https://<AUTH0_TENANT_DOMAIN>.us.auth0.com/api/v2/connections' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  --header 'authorization: Bearer <API_TOKEN>' \
  --data-raw '{ "strategy": "oidc", "name": "Scalekit", "options": { "type": "back_channel", "discovery_url": "<SCALEKIT_ENV_URL>/.well-known/openid-configuration", "client_secret" : "<SCALEKIT_CLIENT_SECRET>", "client_id" : "<SCALEKIT_CLIENT_ID>",  "scopes": "openid profile" } }'

Replace the following placeholders in the command:

Parameter	Description
AUTH0_TENANT_DOMAIN	This is your Auth0 tenant url. Typically, looks like https://yourapp.us.auth0.com
API_TOKEN	Generate an API token from your Auth0 dashboard and use it to authenticate your Auth0 API calls.
SCALEKIT_ENV_URL	Find this in your API config section of Scalekit Dashboard
SCALEKIT_CLIENT_SECRET	Generate a new client secret in your API config section of Scalekit Dashboard and use that here
SCALEKIT_CLIENT_ID	Find this in your API config section of Scalekit Dashboard

After successfully executing the API call to create the Scalekit OIDC connection, you can verify that the new OpenID Connect connection has been added to your Auth0 tenant. If the "Scalekit" connection appears in the list of Enterprise connections, the API call was successful, and the OIDC connection has been properly created.

info

Due to a known issue with Auth0 with adding OIDC connections through the Auth0 Management Console, you must use the Auth0 API to create the OIDC connection.

2. Configure the Redirect URI in Scalekit

After creating the Scalekit OIDC connection in Auth0, you need to configure the Redirect URI in your Scalekit dashboard. This ensures that Auth0 can properly redirect users back to your application after successful authentication.

Step 2a: Copy the Callback URL from Auth0

1. Log in to your Auth0 dashboard
2. Navigate to Authentication > Enterprise > OpenID Connect
3. Click on the "Scalekit" connection to open its settings
4. In the "General" section, locate and copy the "Callback URL"

Copy Callback URL from Auth0 Dashboard

Copy Callback URL from your Auth0 Dashboard

2b. Add the Redirect URI in Scalekit

1. Log in to your Scalekit dashboard
2. Select the appropriate environment (Development or Production)
3. Navigate to Settings > API Config
4. In the "Redirect URIs" section, click on Add new URI
5. Paste the Callback URL copied from the Auth0 dashboard
6. Click on the Add button to save the new Redirect URI

Add new Redirect URI in Scalekit Dashboard

Add new Redirect URI in Scalekit Dashboard

By adding the Auth0 Callback URL as a Redirect URI in Scalekit, you ensure that: Auth0 can securely redirect users back to your application after they authenticate using their Scalekit account The authentication flow is properly completed, and users can access your application's protected resources After configuring the Redirect URI, proceed with testing the integration to verify that users can successfully log in to your application using their Scalekit accounts via Auth0.

3. Onboarding Single Sign-On Customers in Scalekit

To onboard new enterprise customers using Single Sign-On (SSO) login, follow these steps in your Scalekit dashboard:

1. Create an Organization: Set up a new organization for each enterprise customer that will use SSO.
2. Generate Admin Portal Link: Provide your customers with a unique Admin Portal link to configure their SSO settings.
3. Configure Domain: In the Scalekit dashboard, configure the domain for each organization. This domain will be used to identify users who should be authenticated via SSO.

4. Update Home Realm Discovery in Auth0

After configuring Scalekit as an OIDC connection in your Auth0 tenant, you need to enable Home Realm Discovery for your enterprise customers. This configuration helps Auth0 determine which users should be routed to log in via SSO.

1. Log in to your Auth0 dashboard
2. Navigate to Authentication > Enterprise > OpenID Connect
3. Click on the "Scalekit" connection to open its settings
4. Go to the "Login Experience" tab
5. Scroll down to the "Home Realm Discovery" section
6. In the "Identity Provider Domains" field, add a comma-separated list of domains that should be authenticated with SSO via Scalekit

Auth0 uses this configuration to compare the user's email domain at the time of login: If there is a match with one of the configured domains, the user will be redirected to Scalekit's SSO login If there is no match, the user will be prompted to log in via other authentication methods (e.g., password or passwordless login) based on your Auth0 configuration For example, if you want users from three organizations (FooCorp, BarCorp, and AcmeCorp) to access your application using their respective identity providers, add their domains as a comma-separated list:

foocorp.com, barcorp.com, acmecorp.com.

Add domains for Home Realm Discovery in Auth0

After adding the required domains, click Save to apply the Home Realm Discovery settings.

You have now successfully integrated Scalekit with Auth0, enabling seamless SSO authentication for your application's users. Enterprise customers can now log in to your application using their organization's identity provider, while other users can continue to authenticate using the methods configured in your Auth0 tenant.