Setting Up Auth0 SAML for Single Sign-On

Configure Auth0 as a SAML identity provider for PlaidCloud Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring Auth0 as a SAML identity provider so your organization's users can authenticate through Auth0 when accessing PlaidCloud.

Note: The PlaidCloud-side configuration is handled by the PlaidCloud team. Your responsibility is to set up the SAML application in Auth0 and provide PlaidCloud with your Identity Provider Metadata URL. PlaidCloud support will complete the remaining configuration.

Prerequisites

An Auth0 tenant
An Auth0 account with the Administrator role
Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

You configure an application in Auth0 with the SAML2 Web App addon enabled and provide PlaidCloud with your Identity Provider Metadata URL.
PlaidCloud provides you with the Service Provider (SP) Entity ID and ACS URL (Assertion Consumer Service URL) needed to complete your Auth0 application configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create an Application

Sign in to the Auth0 Dashboard.
In the left sidebar, navigate to Applications > Applications.
Click Create Application.
Enter a name for the application (e.g., PlaidCloud SSO).
Select Regular Web Applications as the application type.
Click Create.

Step 2: Enable the SAML2 Web App Addon

On the application detail page, select the Addons tab.
Click the SAML2 Web App addon to enable it.
The addon settings panel will open. Leave it open — you will configure it in the next step.

Step 3: Configure SAML Settings

Note: You will need the SP Entity ID and ACS URL from PlaidCloud before completing this step. Contact PlaidCloud support to obtain these values.

In the SAML2 Web App addon settings panel:

In the Application Callback URL field, enter the ACS URL provided by PlaidCloud.
In the Settings JSON editor, set the audience field to the SP Entity ID provided by PlaidCloud:

{
  "audience": "your-sp-entity-id-from-plaidcloud",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

Click Enable (or Save) to apply the settings.

Step 4: Retrieve and Send the Identity Provider Metadata URL

Once the addon is enabled, locate the metadata URL and send it to PlaidCloud so the integration can be completed.

In the SAML2 Web App addon settings panel, select the Usage tab.
Copy the Identity Provider Metadata URL (formatted as https://{your-auth0-domain}/samlp/metadata/{client-id}).

Send this Metadata URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Step 5: Configure Attribute Mappings for Groups (Optional)

If your PlaidCloud configuration uses group-based security role assignments, you can pass group membership through the SAML assertion using Auth0 rules or actions.

Using Auth0 Actions

In the left sidebar, navigate to Actions > Library.
Click Build Custom and create a new action for the Login / Post Login trigger.
Add logic to append group information to the SAML assertion. For example, if groups are stored as user metadata:

exports.onExecutePostLogin = async (event, api) => {
  const groups = event.user.app_metadata?.groups || [];
  api.samlResponse.setAttribute("groups", groups);
};

Deploy the action and add it to the Login flow.

Note: Discuss with PlaidCloud support which group attribute name and format are expected so that group-based security role assignments work correctly in PlaidCloud.

Step 6: Control User Access

Auth0 controls which users can authenticate based on the connections and rules attached to the application.

On the application detail page, select the Connections tab.
Enable the appropriate connections (e.g., your organization's database connection, Active Directory, or social connections) for this application.
Disable any connections that should not have access to PlaidCloud.

To restrict access to specific users within a connection, use Auth0 Actions or Rules to allow or deny authentication based on user attributes or group membership.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
You will be redirected to the Auth0 sign-in page (or your configured connection's login).
Sign in with your Auth0 credentials.
Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

The Application Callback URL and audience match exactly what PlaidCloud provided
The SAML2 Web App addon is enabled on the application
The nameIdentifierFormat is set to the email address format
The Metadata URL you sent to PlaidCloud is accessible
The user's connection is enabled on the application