Configuring SSO with Auth0

Configuring SSO requires configuring both Tarsal and Auth0 in parallel.

Tarsal Walkthrough

To start, login to your Tarsal account as an administrator.

1. Navigate to Settings > Security/SSO and enable "SAML Single Sign-On"

   

2. After enabling SSO, you will see a page with custom assertion values that you will need to input into Auth0. These include:

   1. Entity ID
   2. Assertion Consumer Service (ACS)
   3. Tarsal's Public Certificate

Auth0 Walkthrough

1. Configure Auth0 as a SAML Identify Provider

   1. Use the Assertion Consumer Service (ACS) url provided by tarsal as the value for the Application Callback URL.

2. Update SAML Mappings

   1. Required mappings are
      1. Email
      2. First Name
      3. Last Name
      4. Role
   2. Paste the following code into Settings, and update the ACS URL as above.
      json

          {
            "logout": {
              "callback": <Assertion consumer service URL>
            },
            "mappings": {
              "email": "email",
              "nickname": "nickname",
              "phone_number": "phone_number",
              "picture": "picture",
              "role": "role"
            },
            "createUpnClaim": false,
            "passthroughClaimsWithNoMapping": false,
            "mapUnknownClaimsAsIs": false,
            "mapIdentities": false
          }
      

3. After the app has been enabled, Download the Identity Provider Metadata file. This file will need to be uploaded to Tarsal as part of the Post-Configuration steps.

   

4. Map user attributes. Tarsal allows SAML mappings for the following fields:

   1. Email (required)
   2. First Name (required)
   3. Last Name (required)
   4. Picture URL

Tarsal Post Configuration

1. Upload the Identity Provider metadata file as part of Step 2

2. Configure the User attribute mappers. These should match the key names of the mappers configured above.

3. Configure the Default User Role. This is the role all users will assume if no role mappings are found in the SAML exchange

   📘

   It is recommended to set the Default User Role to 'admin' during configuration.

   Once the configuration has been validated, then it is recommended to set the Default User Role to 'member'

4. Configure Admin Role Mappers. This is where you can map the value of the role assertion to a specific role in Tarsal. For example, the Tarsal role is 'member' but the SAML Attribute Value may be 'readonly'.

   

5. When finished, you can now direct users to login via your customer Login URL. This can be found on the first "Essentials" step on the Single Sign-On settings page.