Before you start
Claim and verify your email domain before setting up SSO. Adding SSO after you onboard many users means reconciling existing accounts with your identity provider.Set up SSO
- In ION, go to Settings > Organization > Authentication.
- In the Enterprise SSO card, click Configure SSO, then click Open SSO Setup Wizard and follow the steps to connect your identity provider. The wizard walks you through selecting your provider, exchanging SAML or OIDC details, mapping user attributes, and enabling the connection.
- When the wizard is complete, return to ION and click Check Status. Once your IdP connection is live, the card shows SSO Active with your provider and connection name.
The wizard shows you the values to enter into your identity provider and collects your provider’s metadata or signing certificate directly. You don’t need to send anything to First Resonance to complete setup. For more information, see Auth0’s self-service SSO documentation.
Troubleshooting
Check Status shows the connection is not active after completing the wizard. The wizard must fully complete and the connection must be enabled before ION can verify it. Return to the wizard and confirm the final step shows the connection as enabled, then try Check Status again. Users get an error or are redirected back to the ION login page after attempting SSO. Confirm your email domain is claimed and verified in ION before enabling SSO. See Manage domains. Unverified domains won’t route users to your IdP. Attribute mapping errors or users are created without the correct name or email. Check the attribute mapping step in the wizard. ION expects the email attribute to be mapped correctly from your IdP. For SAML providers, the email attribute is typicallyemail or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. Confirm with your IdP’s documentation.
SSO was working and stopped after a certificate rotation.
If your IdP uses SAML and rotated its signing certificate, ION needs to be updated with the new certificate. See Rotate your SAML signing certificate.
Provider-specific notes
The wizard is the same for every provider and shows you the exact service-provider values to enter into your IdP. These notes cover what’s specific to the most common providers.Okta
Okta
Create a SAML 2.0 app integration in Okta and paste in the Single sign-on URL and Audience URI (SP Entity ID) the wizard displays — they take the form
https://firstresonance.auth0.com/login/callback?connection=<connection_name> and urn:auth0:firstresonance:<connection_name>, with the connection name filled in by the wizard. Okta sends the user’s email in the SAML assertion by default. When you provide Okta’s metadata, ION automatically picks the signing certificate if both signing and encryption certificates are listed. Background: Auth0 community guide to Okta as the SAML IdP.Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
Register the application in the Microsoft Entra admin center using the Reply URL (ACS) the wizard displays (based on
https://firstresonance.auth0.com/login/callback), then provide your application’s federation metadata (URL or XML) back in the wizard. Confirm Entra releases the user’s email claim. GovCloud tenants sign in under login.microsoftonline.us. Entra auto-rolls its signing certificate and lists multiple certificates during the overlap — relevant when you later rotate the signing certificate.ADFS
ADFS
Configure the relying party in ADFS following Auth0’s ADFS connection documentation, using Realm Identifier
urn:auth0:firstresonance and Endpoint https://firstresonance.auth0.com/login/callback. Then provide your ADFS federation metadata URL (for example, https://adfs.yourcompany.com/FederationMetadata/2007-06/FederationMetadata.xml) in the wizard.