Last updated on 23rd February 2026

Configuring SSO with Auth0

Auth0 can act as the SAML identity provider (IdP) for DeployHQ. This article explains how to configure the Auth0 application and wire its metadata into DeployHQ.

Prerequisites

  • DeployHQ Enterprise account with access to Settings → SAML SSO
  • Auth0 tenant where you are an administrator
  • A database connection, social connection, or enterprise connection that contains the users who will access DeployHQ

Step 1: Create a Regular Web Application

  1. In the Auth0 Dashboard, go to Applications → Applications.
  2. Click Create Application, enter "DeployHQ", and choose Regular Web Application.
  3. In the Settings tab configure:
    • Allowed Callback URLs: https://identity.deployhq.com/authentication/saml/acs
    • Allowed Logout URLs (optional): add your DeployHQ domain if you plan to support SP-initiated logout.
  4. Click Save Changes.

Step 2: Enable the SAML2 Web App addon

  1. Open the application you just created and go to the Addons tab.
  2. Enable SAML2 WEB APP. A configuration modal will open.
  3. Set the Application Callback URL to https://identity.deployhq.com/authentication/saml/acs. The default options already send the NameID as an email address, so no additional JSON is required unless you want to send extra attributes.
  4. Click Enable (or Save, depending on the UI). Auth0 will display several pieces of metadata you'll need for DeployHQ: Identity Provider Login URL, Identity Provider Issuer, and the signing certificate.

Step 3: Assign users to the application

  1. Go to the application’s Connections tab.
  2. Enable the connections (e.g., Database, Google, Azure AD) that contain the users allowed to access DeployHQ.
  3. Ensure those users exist and have verified email addresses that match the email addresses used in DeployHQ.

Step 4: Configure DeployHQ

  1. In DeployHQ open Settings → SAML SSO.
  2. Choose Configure SAML SSO and populate the form with the Auth0 metadata values:
    • Issuer → Auth0 Identity Provider Issuer (typically urn:auth0:tenant:app)
    • Login URL → Auth0 Identity Provider Login URL
    • Certificate → Copy the certificate shown in the SAML2 addon modal (include the header and footer)
  3. Click Save Configuration with Enable SAML SSO checked. Optionally enable Enforce SSO once you have validated the flow.

Step 5: Test SSO

  1. Launch an incognito browser, visit the DeployHQ login page, and click Sign in with SSO.
  2. Enter your DeployHQ subdomain; you should be redirected to Auth0.
  3. Authenticate with a user that is part of an enabled connection. After Auth0 issues the assertion you should be logged into DeployHQ.

Troubleshooting tips

  • Auth0 invalid audience: Ensure the audience value in the SAML addon configuration is set to deployhq.
  • Users redirected back to login: Confirm the user’s Auth0 profile email exactly matches their DeployHQ user email, and that the relevant connection is enabled for the application.
  • Certificate parsing errors: Copy the certificate value from the addon modal or download the metadata XML to avoid missing newline characters.
  • NameID missing: Verify that nameIdentifierFormat is set to email and that the Auth0 user profile has an email value.

Official resources

  • Auth0 Docs: SAML2 Web App add-on — explains how to enable the addon, configure callback/audience values, and download the IdP metadata that DeployHQ requires.