diff --git a/main/docs.json b/main/docs.json
index dc2ce7ed39..d513f2899b 100644
--- a/main/docs.json
+++ b/main/docs.json
@@ -876,10 +876,10 @@
"pages": [
"docs/authenticate/enterprise-connections",
{
- "group": "Self-Service Single Sign-On",
+ "group": "Self-Service Enterprise Configuration",
"pages": [
- "docs/authenticate/enterprise-connections/self-service-SSO",
- "docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso",
+ "docs/authenticate/enterprise-connections/self-service-enterprise-config",
+ "docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config",
"docs/authenticate/enterprise-connections/connection-profile",
"docs/authenticate/enterprise-connections/user-attribute-profile"
]
@@ -4572,8 +4572,8 @@
{
"group": "Self-Service Single Sign-On",
"pages": [
- "docs/fr-ca/authenticate/enterprise-connections/self-service-SSO",
- "docs/fr-ca/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso"
+ "docs/fr-ca/authenticate/enterprise-connections/self-service-enterprise-config",
+ "docs/fr-ca/authenticate/enterprise-connections/self-service-enterprise-config/manage-self-service-enterprise-config"
]
},
"docs/fr-ca/authenticate/enterprise-connections/private-key-jwt-client-auth"
@@ -7858,8 +7858,8 @@
{
"group": "Self-Service Single Sign-On",
"pages": [
- "docs/ja-jp/authenticate/enterprise-connections/self-service-SSO",
- "docs/ja-jp/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso"
+ "docs/ja-jp/authenticate/enterprise-connections/self-service-enterprise-config",
+ "docs/ja-jp/authenticate/enterprise-connections/self-service-enterprise-config/manage-self-service-enterprise-config"
]
},
"docs/ja-jp/authenticate/enterprise-connections/private-key-jwt-client-auth"
@@ -12095,7 +12095,7 @@
"destination": "/docs/get-started/auth0-for-ai-agents"
},
{
- "source": "/docs/authenticate/enterprise-connections/self-service-SSO/user-attribute-profile",
+ "source": "/docs/authenticate/enterprise-connections/self-service-enterprise-config/user-attribute-profile",
"destination": "/docs/authenticate/enterprise-connections/user-attribute-profile"
},
{
@@ -12196,7 +12196,7 @@
},
{
"source": "/docs/authenticate/single-sign-on/self-service-SSO",
- "destination": "/docs/authenticate/enterprise-connections/self-service-SSO"
+ "destination": "/docs/authenticate/enterprise-connections/self-service-enterprise-config"
},
{
"source": "/docs/quickstart/backend/acul/interactive",
diff --git a/main/docs/authenticate/enterprise-connections/connection-profile.mdx b/main/docs/authenticate/enterprise-connections/connection-profile.mdx
index 41f8c1a92e..235982a7c5 100644
--- a/main/docs/authenticate/enterprise-connections/connection-profile.mdx
+++ b/main/docs/authenticate/enterprise-connections/connection-profile.mdx
@@ -12,7 +12,7 @@ The Connection Profile (CP) enables Auth0 developers to specify how the private
An administrator creates a Connection Profile that defines the property values that should be written to the connection whenever they are created using one of Auth0 delegated administration features.
* **Flexible Scope**
- Profiles are linked to Self-Service SSO and Okta Express Configuration flows today but are designed for broader reuse, covering provisioning, onboarding, entitlement management, and future Auth0 capabilities.
+ Profiles are linked to Self-Service Enterprise Configuration and Okta Express Configuration flows today but are designed for broader reuse, covering provisioning, onboarding, entitlement management, and future Auth0 capabilities.
## Connection Profile properties
A Connection Profile is a `JSON` object that supports these configurable properties, which are applied to all newly created connections.
diff --git a/main/docs/authenticate/enterprise-connections/self-service-SSO.mdx b/main/docs/authenticate/enterprise-connections/self-service-enterprise-config.mdx
similarity index 66%
rename from main/docs/authenticate/enterprise-connections/self-service-SSO.mdx
rename to main/docs/authenticate/enterprise-connections/self-service-enterprise-config.mdx
index 451c2380d8..c031d7c7b9 100644
--- a/main/docs/authenticate/enterprise-connections/self-service-SSO.mdx
+++ b/main/docs/authenticate/enterprise-connections/self-service-enterprise-config.mdx
@@ -1,16 +1,13 @@
---
-description: Learn how to use Self-Service Single Sign-On to delegate SSO setup to your B2B customers.
-sidebarTitle: Overview
-title: Self-Service Single Sign-On
+description: Learn how to use Self-Service Enterprise Configuration to delegate SSO setup to your B2B customers.
+sidebarTitle: Self-Service Enterprise Configuration
+title: Self-Service Enterprise Configuration
validatedOn: 2026-02-19
---
-
-Provisioning and Domain Verification for Self-Service SSO is in Early Access. By using this feature, you agree to the applicable Free Trial terms in [Okta’s Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0’s product release cycle, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages).
-
-Self-Service Single Sign-On (SSO) provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers. By delegating this task, you can streamline your onboarding process and grant customers more autonomy over their sign-on experience. You can also reduce the time and costs associated with managing SSO across your customer base.
+Self-Service Enterprise Configuration provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers. By delegating this task, you can streamline your onboarding process and grant customers more autonomy over their sign-on experience. You can also reduce the time and costs associated with managing SSO across your customer base.
-Self-Service SSO requires minimal configuration in your Auth0 tenant and provides your customers with a setup assistant that guides them through the enablement process. After a customer completes their setup, the SSO integration is automatically added to your tenant as an [Enterprise connection](/docs/authenticate/enterprise-connections).
+Self-Service Enterprise Configuration requires minimal configuration in your Auth0 tenant and provides your customers with a setup assistant that guides them through the enablement process. After a customer completes their setup, the SSO integration is automatically added to your tenant as an [Enterprise connection](/docs/authenticate/enterprise-connections).
@@ -21,11 +18,9 @@ Users with the following Dashboard roles can engage with this feature:
-To learn more about Auth0’s subscription, read [Manage Subscriptions](/docs/troubleshoot/customer-support/manage-subscriptions). To upgrade your subscriptions, contact your Technical Account Manager or [Auth0 Sales](https://auth0.com/get-started?place=header&type=button&text=talk%20to%20sales).
+**Self-Service Enterprise Configuration supported providers**
-**Supported Providers**
-
-Self-Service SSO currently supports the following identity providers:
+Single-sign On (SSO) currently supports the following identity providers:
* Okta Workforce Identity
* Auth0
@@ -37,24 +32,23 @@ Self-Service SSO currently supports the following SAML
-Self-Service Provisioning currently supports the following identity providers:
+Provisioning currently supports the following identity providers:
* Okta Workforce Identity
* Entra ID
* Generic OIDC
* Generic SAML
-
## How it works
-Self-Service SSO uses the following components to delegate setup to your customers:
+Self-Service Enterprise Configuration uses the following components to delegate setup to your customers:
-* **Self-service profile**: Defines key elements of customer SSO implementations, such as the identity providers they can use for SSO and which user attributes they must capture, such as email. You can create up to 20 profiles in your tenant for different customers or segments.
+* **Self-service profile**: Defines key elements of customer implementations, such as the identity providers they can use for SSO and which user attributes they must capture, such as email. You can create up to 20 profiles in your tenant for different customers or segments.
* **Self-service access ticket**: Grants your customers admin access to the self-service assistant and sets specific details for the resulting Enterprise connection. Those customer admins can either create new or modify existing connections.
-* **SSO setup assistant**: Guides your customer admins through the SSO setup process. To learn more about this experience, review the Self-service assistant experience.
+* **Self-service setup assistant**: Guides your customer admins through the SSO setup process. To learn more about this experience, review the Self-service assistant experience.
-### Self-Service SSO workflow
+### Self-Service Enterprise Configuration workflow
-The steps below provide the general workflow for using Self-Service SSO. These tasks can be completed through either the Management API or the Auth0 Dashboard.
+The steps below provide the general workflow for using Self-Service Enterprise Configuration. These tasks can be completed through either the Management API or the Auth0 Dashboard.
1. You (the Auth0 customer) create a self-service profile in your tenant.
2. You then create a self-service access ticket associated with that self-service profile. When generating the ticket, you can decide whether your customer admin will create a new connection or modify an existing connection through the self-service assistant.
@@ -66,7 +60,12 @@ The steps below provide the general workflow for using Self-Service SSO. These t
## Self-service assistant experience
-The self-service assistant is a multi-step experience that guides customer admins through configuring SSO and optionally verifying their domain. This experience includes both interactive elements as well as instructions for making the appropriate changes in their selected IdP system.
+The self-service assistant is a multi-step experience that guides customer admins through:
+ * SSO configuration
+ * Domain verification
+ * Provisioning set-up
+
+This experience includes both interactive elements as well as instructions for making the appropriate changes in their selected IdP.
While the exact requirements for configuring SSO vary by IdP, the general workflow for the self-service assistant includes the following:
@@ -88,7 +87,7 @@ Depending on how you (the Auth0 customer) configure the access ticket, the exper
| Configuration | Description |
| --- | --- |
-| Verified Domain Association | Customer admins select and associate existing domains with the new connection without verifying the DNS TXT record if the ticket is scoped to one Organization and the Organization: - Must have the **Allow Use of Domains for Organzation Discovery** option enabled.
- Must have **Domain Verification** set to `Optional` or `Required`.
The assistant automatically detects previously verified domains for that specific Organization. |
+| Verified Domain Association | Customer admins select and associate existing domains with the new connection without verifying the DNS TXT record if the ticket is scoped to one Organization and the Organization: - Must have the **Allow Use of Domains for Organization Discovery** option enabled.
- Must have **Domain Verification** set to `Optional` or `Required`.
The assistant automatically detects previously verified domains for that specific Organization. |
| Domain Verification set to `Required` | Customer admins must successfully verify a new domain via DNS or associate an existing verified domain before they can enable the connection. |
| Domain Verification set to `Optional` | Customer admin can choose to enter a new domain for verification, associate an existing one, or skip the step. In all cases, the admin can enable the connection regardless of the verification status. |
| Domain Verification set to `Off` | Custom admins do nothing. This step does not appear to customer admins, and the flow ends after Test SSO. |
@@ -96,7 +95,7 @@ Depending on how you (the Auth0 customer) configure the access ticket, the exper
-To learn more, review [Manage Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso).
+To learn more, review [Manage Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-config/manage-self-service-sso).
### Example self-service assistant flow
@@ -109,19 +108,19 @@ The images below demonstrate an example self-service assistant experience. In th
-**3. Create Application (truncated)**
+**3. Create application (truncated)**
-**4. Configure Connection**
+**4. Configure connection**
-**5. Claims Mapping**
+**5. Claims mapping**
-**6. Assign Access**
+**6. Assign access**
@@ -129,7 +128,7 @@ The images below demonstrate an example self-service assistant experience. In th
-**8. Provisioning - Create Application**
+**8. Provisioning - Create application**
@@ -137,14 +136,14 @@ The images below demonstrate an example self-service assistant experience. In th
-**10. Provisioning - SCIM Mapping**
+**10. Provisioning - SCIM mapping**
-**11. Domain Verification**
+**11. Domain verification**
-## Using Self-Service SSO
+## Using Self-Service Enterprise Configuration
-To learn how you can use Self-Service SSO for your customers, review [Manage Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso). This resource provides technical information for creating self-service profiles and managing access tickets, as well as useful reference information such as rate limits.
+To learn how you can use Self-Service Enterprise Configuration for your customers, review [Manage Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-config/manage-self-service-sso). This resource provides technical information for creating self-service profiles and managing access tickets, as well as useful reference information such as rate limits.
diff --git a/main/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso.mdx b/main/docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config.mdx
similarity index 72%
rename from main/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso.mdx
rename to main/docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config.mdx
index fd15d818c0..872b09c742 100644
--- a/main/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso.mdx
+++ b/main/docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config.mdx
@@ -1,16 +1,12 @@
---
-description: Use Self-Service SSO to delegate SSO setup to your B2B customers.
-title: Manage Self-Service SSO
+description: Use Self-Service Enterprise Configuration to delegate SSO setup to your B2B customers.
+title: Manage Self-Service Enterprise Configuration
validatedOn: 2026-02-19
---
-
-Provisioning and Domain Verification for Self-Service SSO is in Early Access. By using this feature, you agree to the applicable Free Trial terms in [Okta’s Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0’s product release cycle, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages).
-
-
-Self-Service Single Sign-On (SSO) provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers.
+Self-Service Enterprise Configuration provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers and requires minimal configuration in your Auth0 tenant to provide your customers with a self-service assistant to guide them through the enablement process.
-Self-Service SSO requires minimal configuration in your Auth0 tenant and provides your customers with a self-service assistant that guides them through the enablement process. After a customer completes their setup, the SSO integration is automatically added to your tenant as an [Enterprise connection](/docs/authenticate/enterprise-connections).
+After a customer completes their setup, the SSO integration is automatically added to your tenant as an [Enterprise connection](/docs/authenticate/enterprise-connections).
@@ -21,10 +17,10 @@ Users with the following Dashboard roles can engage with this feature:
-To facilitate Self-Service SSO, you will configure the following components using either the Management API or the Auth0 Dashboard:
+To facilitate Self-Service Enterprise Configuration, you will configure the following components using either the Management API or the Auth0 Dashboard:
* **Self-service profile**: Defines key elements of customer SSO implementations, including the identity providers (IdPs) they can use and which user attributes they must capture, such as email. You can create up to 20 profiles in your tenant for different customers or segments.
-* **Self-service access ticket**: Grants customer admins access to the [**self-service assistant**](/docs/authenticate/enterprise-connections/self-service-SSO#self-service-assistant-experience) and sets specific details for their resulting Enterprise connection. Access tickets allow customer admins to either create new or modify existing connections.
+* **Self-service access ticket**: Grants customer admins access to the [**self-service assistant**](/docs/authenticate/enterprise-connections/self-service-enterprise-config#self-service-assistant-experience) and sets specific details for their resulting Enterprise connection. Access tickets allow customer admins to either create new or modify existing connections.
The sections below provide expanded steps for configuring self-service profiles and generating self-service access tickets to share with customer admins.
@@ -44,7 +40,7 @@ You can create up to 20 profiles as needed to accommodate different customers or
To create a self-service profile on the Auth0 Dashboard:
-1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and open the **Self-Service SSO** section. Then, select **Create Profile**.
+1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and open the **Self-Service Enterprise Configuration** section. Then, select **Create Profile**.
2. In the space provided, enter a name and optional description for the profile. Then, select **Create**.
A. **Optional** Attach a User Attribute Profile.
@@ -86,7 +82,7 @@ To create a self-service profile, first call the Self-Service Profiles endpoint
| `user_attributes[].is_optional` | Yes, when defining user attributes. | Boolean.
Indicates whether an attribute is optional or required by the customer in order for the application to function.
- To set an attribute as required, use `true`.
- For optional attributes, use `false`.
|
| `user_attribute_profile_id` | No. | ID of the [User Attribute Profile](/docs/authenticate/enterprise-connections/user-attribute-profile) to associate with self-service accounts. |
-**Example Request Body**
+**Example request body**
```json lines
{
@@ -109,7 +105,6 @@ To create a self-service profile, first call the Self-Service Profiles endpoint
}
```
-
#### Customize your introduction text
When a customer admin accesses the self-service assistant, they first land on an introduction page that welcomes them to the experience. By default, the following message is provided:
@@ -133,10 +128,10 @@ Be aware that this call **overwrites** any messaging currently set for the self-
| Property | Description |
| --- | --- |
-| `introduction` | String. Maximum length is 2000.
Full introduction text to display on the landing page of the self-service assistant. Text can include basic formatting options, such as bolding or hyperlinks.
Custom text provided through this parameter completely overwrites any previous messaging. For best results, ensure you provide the full message you wish to display to customer admins.
Sending an empty body `\{}` resets any customized messaging to the default text. |
+| `introduction` | - String. Maximum length is 2000.
- Full introduction text to display on the landing page of the self-service assistant. Text can include basic formatting options, such as bolding or hyperlinks.
- Custom text provided through this parameter completely overwrites any previous messaging. For best results, ensure you provide the full message you wish to display to customer admins.
- Sending an empty body `\{}` resets any customized messaging to the default text.
|
3. In response, the created entity is returned.
-**Example Call**
+**Example call**
```js lines
PUT /api/v2/self-service-profiles/ssp_1234567890/custom-text/en/get-started
@@ -146,12 +141,7 @@ PUT /api/v2/self-service-profiles/ssp_1234567890/custom-text/en/get-started
}
```
-
-
-
-
-
-**Example Response**
+**Example response**
```js lines
{
@@ -176,16 +166,18 @@ When generating access tickets, you can also enable certain features such as Enterprise](https://manage.auth0.com/#/connections/enterprise) and access the **Self-Service SSO** section. Then, select the self-service profile with which you want to create an access ticket.
+1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and access the **Self-Service Enterprise Configuration** section. Then, select the self-service profile with which you want to create an access ticket.
2. Select **Generate Ticket** to open the ticket form. Under **Select ticket type**, choose **Create a new connection**.
3. Under **Ticket configuration**, provide a required name for the connection your customer admin will configure.
4. In the **Settings** section, configure additional options as needed for the new connection:
@@ -251,7 +264,7 @@ To generate an access ticket for a new connection through the Auth0 Dashboard:
* **Assign membership on login for organizations**: Automatically grant organization membership to users who authenticate with the connection.
* **Enable as a domain level connection**: Allow 3rd-party applications to use the connection; requires [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
* **Accept SAML IdP-initiated SSO**: Enables [SAML Identity Provider-initiated SSO](/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on).
-5. Under **Domain-Based Discovery**, optionally provide a comma-separated list of IdP domains to compare to users’ email domains. These domains are stored in `options.domain_aliases` and drive HRD. Domains added here are treated as trusted and do not require customer admin verification. For more information, review [Home Realm Discovery](#home-realm-discovery).
+5. Under **Domain-Based Discovery**, optionally provide a comma-separated list of already verified or to be verified IdP domains to compare to users’ email domains. These domains are stored in `options.domain_aliases` and drive HRD. To learn more, read [Home Realm Discovery](#home-realm-discovery).
6. Under **Domain Verification Requirement**, choose your desired level of verification:
* **Off**: Customer admins are not prompted to verify their domain when setting up SSO. **Off** is the default setting for new access tickets.
* **Optional**: Customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
@@ -275,7 +288,7 @@ To generate an access ticket for a new connection through the Auth0 Dashboard:
A Ticket Information popup containing the access ticket URL then displays. Copy and save this URL somewhere safe, as you cannot retrieve this URL again after closing the popup.
-You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-SSO#self-service-assistant-experience).
+You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-config#self-service-assistant-experience).
@@ -302,18 +315,22 @@ In the request body, specify the parameters described in the table below.
| `connection_config.is_domain_connection` | **Optional**. Boolean.
Set to `true` if the connection is at the domain level; requires [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration). |
| `connection_config.show_as_button` | **Optional**. Boolean.
When `true`, the connection displays as an authentication option on your application's login screen. |
| `connection_config.metadata` | **Optional**. Object[].
Metadata associated with the new connection.
Object can contain up to 10 key-value pairs. String values limited to 255 characters. |
-| `connection_config.options` | **Optional**. Object[].
Options for the new connection, including:
- `icon_url`
- `domain_aliases[]`
- `idpinitiated`
|
+| `connection_config.options` | **Optional**. Object[].
Options for the new connection, including:- `icon_url`
- `domain_aliases[]`
- `idpinitiated`
|
| `connection_config.options.icon_url` | **Optional**. String.
URL of the icon image to use if `connection_config.show_as_button` is enabled. Must use HTTPS. |
-| `connection_config.options.domain_aliases` | **Optional**. String[].
Domains to use for home realm discovery.
Domains entered into `domain_aliases` are automatically marked as verified. To have a customer admin verify a domain themselves, do not specify this attribute and instead use `domain_aliases_config` (described further on in this table). This option allows you to prompt the customer admin to verify their domain through the self-service assistant.
For more information, review [Domain Verification and Home Realm Discovery](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso#domain-verification-and-home-realm-discovery). |
-| `connection_config.options.idpinitiated` | **Optional**. Object.
Allows [SAML IdP-initiated SSO](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso#saml-idp-initiated-sso) and includes the following attributes:
- `enabled`
- `client_id`
- `client_protocol`
- `client_authorizequery`
For full details, review the [SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) endpoint in the Management API Explorer. |
+| `connection_config.options.domain_aliases` | **Optional**. String[].
Domains to use for home realm discovery.
Domains entered into `domain_aliases` are automatically marked as verified. To have a customer admin verify a domain themselves, do not specify this attribute and instead use `domain_aliases_config` (described further on in this table). This option allows you to prompt the customer admin to verify their domain through the self-service assistant.|
+| `connection_config.options.idpinitiated` | **Optional**. Object.
Allows [SAML IdP-initiated SSO](/docs/authenticate/enterprise-connections/self-service-enterprise-config/manage-self-service-enterprise-config#saml-idp-initiated-sso) and includes the following attributes:
- `enabled`
- `client_id`
- `client_protocol`
- `client_authorizequery`
For full details, review the [SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) endpoint in the Management API Explorer. |
+| `domain_aliases_config` | **Optional**. Object.
Contains `domain_verification` and `pending_domains` properties for configuring domain verification behavior.
To learn more, review [Domain Verification and Home Realm Discovery](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config#domain-verification-and-home-realm-discovery)|
+| `domain_aliases_config.domain_verification` | **Optional**. String.
Determines whether domain verification is required, optional, or disabled.
Options include:- `none`: Disables domain verification. You can also disable domain verification by leaving the `domain_aliases_config` object out of your request.
- `optional`: Allows customer admins to skip domain verification during setup.
- `required`: Requires customer admins to verify their domain during setup.
|
+| `domain_aliases_config.pending_domains` | **Optional**. String\[].
Domains to be verified by the IT admin during setup. Unlike pre-verified domains, these domains are listed as pending on the organization and are not automatically associated with the connection — the IT admin must complete verification in the self-service assistant before they take effect.
`domain_aliases_config.domain_verification` must be set to `optional` or `required` to use this parameter.
Quotas apply:
- If one organization is associated with the ticket, the combined total of existing and pending organization domains must not exceed 100.
- If no organization or more than one organization is associated with the ticket, the combined total of existing and pending domain aliases must not exceed 1,000.
|
| `enabled_organizations` | **Optional**. Object[].
A list of organizations to associate with the new connection. |
| `enabled_organizations[].organization_id` | **Required** when using `enabled_organizations`.
String.
ID of a specific organization to associate with the new connection.
You can retrieve IDs through the Organizations section of the [Auth0 Dashboard](https://manage.auth0.com/#/organizations), the [Get Organizations](https://auth0.com/docs/api/management/v2/organizations/get-organizations) endpoint, or the [Get Organization by Name](https://auth0.com/docs/api/management/v2/organizations/get-name-by-name) endpoint. |
| `enabled_organizations[].assign_membership_on_login` | **Optional**. Boolean.
When `true`, users who log in with the new connection are automatically granted membership to the specified organization. |
| `enabled_organizations[].show_as_button` | **Optional**. Boolean.
When `true`, the new connection displays as an authentication option on the Organization login screen for your application. |
+| `provisioning_config` | **Optional.** Object.
Determines whether or not customer admin is able to set up SCIM. If the connection is created without all provisioning `scopes`, `get:users`,`post:users`,`put:users`, `patch:users`,`delete:users`, SCIM will not be enabled. Use [`google_workspace`](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) to configure [Google Workspace Directory Sync](/docs/authenticate/identity-providers/enterprise-identity-providers/google-directory-sync). |
| `ttl_sec` | **Optional**. Number.
Number of seconds an access ticket URL remains active before a customer admin launches the self-service assistant. If unspecified or set to 0, the value defaults to `432000` (the maximum amount of 5 days).
Note that this expiration period does not determine how long a customer admin has access to the self-service after it’s been launched. The expiration of the assistant itself is 5 hours and cannot be configured. |
-| `domain_aliases_config` | **Optional**. Object.
Contains domain_verification which is used to determine whether domain verification is required, optional, or disabled.
Options for domain_verification include:
- `none`: Disables domain verification. You can also disable domain verification by leaving the `domain_aliases_config` object out of your request.
- `optional`: Allows customer admins to skip domain verification during setup.
- `required`: Requires customer admins to verify their domain during setup.
To learn more, review [Domain Verification and Home Realm Discovery](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso#domain-verification-and-home-realm-discovery). |
+| `use_for_organization_discovery` | **Optional**. Boolean.
Indicates whether a verified domain should be used for organization discovery during authentication.|
-**Example Request Body**
+**Example request body**
```json lines expandable
{
@@ -350,15 +367,13 @@ In the request body, specify the parameters described in the table below.
"ttl_sec":0,
"domain_aliases_config": {
"domain_verification": "string"
+ "pending_domains": [
+ "acme2.com"
+ ]
}
}
```
-
-
-
-
-
In response, you receive a URL to the self-service access ticket:
```json lines
@@ -367,12 +382,7 @@ In response, you receive a URL to the self-service access ticket:
}
```
-
-
-
-
-
-After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-SSO#self-service-assistant-experience).
+After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-config#self-service-assistant-experience).
You can wrap access ticket generation in your own self-service portal or send ticket URLs directly to customer admins through email, chat, or other communication channels.
@@ -406,16 +416,19 @@ To complete this process, you can generate an access ticket that allows the cust
To edit an access ticket through the Auth0 Dashboard:
-1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and access the Self-Service SSO section. Then, select the self-service profile with which you want to create an access ticket.
+1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and access the Self-Service Enterprise Configuration section. Then, select the self-service profile with which you want to create an access ticket.
2. Select **Generate Ticket** to open the ticket form. Under **Select ticket type**, choose **Edit an existing connection**.
3. Under **Ticket configuration**, provide the ID of the existing connection you want the customer admin to modify.
4. Select **Next**.
-5. Under **Domain Verification**, choose your desired level of verification:
-
- 1. **Off**: Customer admins are not prompted to verify their domain when setting up SSO. This option is selected by default for new access tickets.
- 2. **Optional**: Customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
- 3. **Required**: Customer admins must verify their domain when setting up SSO. They will not be able to enable their connection until verification is complete.
-6. Under **Provisioning**, optionally enable **Sync user profiles using provisioning**. When enabled, additional configuration is available:
+5. Under **Enabled features**, choose which flows the IT admin can access. All options are enabled by default.
+ * **Edit SSO connection**: Allows the IT admin to modify the SSO connection. Disable this option to give the IT admin access only to provisioning or domain configuration, without the ability to edit the connection.
+ * **Provisioning**: Allows the IT admin to configure provisioning.
+ * **Domain configuration**: Allows the IT admin to verify or manage domains.
+6. Under **Domain Verification**, choose your desired level of verification:
+ * **Off**: Customer admins are not prompted to verify their domain when setting up SSO. This option is selected by default for new access tickets.
+ * **Optional**: Customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
+ * **Required**: Customer admins must verify their domain when setting up SSO. They will not be able to enable their connection until verification is complete.
+7. Under **Provisioning**, optionally enable **Sync user profiles using provisioning**. When enabled, additional configuration is available:
* **Bearer Token Expiration**: Define an expiration date for the SCIM bearer token. By default, bearer tokens do not expire.
* **Bearer Token Permissions (Scopes)**: Choose which actions the token can perform. By default, all provisioning scopes are enabled:
* `get:users`
@@ -424,14 +437,14 @@ To edit an access ticket through the Auth0 Dashboard:
* `patch:users`
* `delete:users`
-7. Under **Time to Live**, set an expiration period for the access ticket in seconds. By default, time to live is set to 432000 seconds (which equals five days).
+8. Under **Time to Live**, set an expiration period for the access ticket in seconds. By default, time to live is set to 432000 seconds (which equals five days).
A. Time to Live determines how long an access ticket URL is active **before** a customer admin launches the self-service assistant. It does not determine how long the customer admin has access to the assistant after it’s been launched. The expiration of the self-service assistant itself is five hours and cannot be configured.
8. Review your access ticket configuration for accuracy. Then, select **Create Ticket**.
A Ticket Information popup containing the access ticket URL then displays. Copy and save this URL somewhere safe as you cannot retrieve this URL again after closing the popup.
-You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-SSO#self-service-assistant-experience).
+You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-config#self-service-assistant-experience).
@@ -453,11 +466,17 @@ You cannot update `connection_config` details for an existing connection through
| Parameter | Description |
| --- | --- |
| `connection_id` | **Required**. String.
ID of the connection a customer admin can update through the self-service assistant. Customer admins can modify key elements of the connection, such as the SAML certificate or OIDC ID and secret.
Connection IDs can be retrieved through the Authentication section of the [Auth0 Dashboard](https://manage.auth0.com/#/connections/enterprise) or the [Get All Connections](https://auth0.com/docs/api/management/v2/connections/get-connections) endpoint.** |
-| `provisioning_config` | **Optional.** Object.
Determines whether or not customer admin is able to set up SCIM. If the connection is created without all provisioning `scopes`, `get:users`,`post:users`,`put:users`, `patch:users`,`delete:users`, SCIM will not be enabled. |
+| `domain_aliases_config.pending_domains` | **Optional**. String\[].
Domains to be verified by the IT admin during setup. These domains are listed as pending on the organization and are not automatically associated with the connection — the IT admin must complete verification in the self-service assistant before they take effect.
`domain_aliases_config.domain_verification` must be set to `optional` or `required` to use this parameter.
Quotas apply:
- If one organization is associated with the ticket, the combined total of existing and pending organization domains must not exceed 100.
- If no organization or more than one organization is associated with the ticket, the combined total of existing and pending domain aliases must not exceed 1,000.
|
+| `enabled_features` | **Optional**. Object.
Controls which flows the IT admin can access. Only supported for edit-connection tickets.
If omitted, active features are determined based on the presence of other configuration properties in the request (existing behavior is preserved). If included, the object must contain at least one property not explicitly set default to `false` and cannot be null or empty.
If `enabled_features.provisioning` is `true`, `provisioning_config` is required in the request body. |
+| `enabled_features.sso` | **Optional**. Boolean.
When `true`, the IT admin can edit the SSO connection. Set to `false` to allow access only to provisioning or domain verification flows, without the ability to modify the connection. |
+| `enabled_features.provisioning` | **Optional**. Boolean.
When `true`, the IT admin can configure provisioning. Requires `provisioning_config` in the request body. |
+| `enabled_features.domain_verification` | **Optional**. Boolean.
When `true`, the IT admin can verify or manage domains. |
+| `provisioning_config` | **Optional.** Object.
Determines whether or not customer admin is able to set up SCIM. If the connection is created without all provisioning `scopes`, `get:users`,`post:users`,`put:users`, `patch:users`,`delete:users`, SCIM will not be enabled. Use [`google_workspace`](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) to configure [Google Workspace Directory Sync](/docs/authenticate/identity-providers/enterprise-identity-providers/google-directory-sync). |
| `ttl_sec` | **Optional**. Number.
Number of seconds an access ticket URL remains active before a customer admin launches the self-service assistant. If unspecified or set to `0`, the value defaults to `432000` (which equals 5 days).
Note that this expiration period does not determine how long a customer admin has access to the self-service assistant after it's been launched. The expiration of the assistant itself is five hours and cannot be configured. |
-| `domain_aliases_config` | **Optional**. Object.
Contains domain_verification which is used to determine whether domain verification is required, optional, or disabled.
Options for domain_verification include:
- `none`: Disables domain verification. You can also disable domain verification by leaving the `domain_aliases_config` object out of your request.
- `optional`: Allows customer admins to skip domain verification during setup.
- `required`: Requires customer admins to verify their domain during setup.
To learn more, review [Domain Verification and Home Realm Discovery](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso#domain-verification-and-home-realm-discovery). |
+| `domain_aliases_config` | **Optional**. Object.
Contains domain_verification which is used to determine whether domain verification is required, optional, or disabled.
Options for domain_verification include:
- `none`: Disables domain verification. You can also disable domain verification by leaving the `domain_aliases_config` object out of your request.
- `optional`: Allows customer admins to skip domain verification during setup.
- `required`: Requires customer admins to verify their domain during setup.
|
+| `use_for_organization_discovery` | **Optional**. Boolean.
Indicates whether a verified domain should be used for organization discovery during authentication.|
-**Example Request Body**
+**Example request body**
```json lines
{
@@ -465,15 +484,13 @@ You cannot update `connection_config` details for an existing connection through
"ttl_sec":0,
"domain_aliases_config": {
"domain_verification": "string"
+ "pending_domains": [
+ "acme.com"
+ ]
}
}
```
-
-
-
-
-
In response, you receive a URL to the self-service access ticket:
```json lines
@@ -482,12 +499,7 @@ In response, you receive a URL to the self-service access ticket:
}
```
-
-
-
-
-
-After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-SSO#self-service-assistant-experience).
+After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-config#self-service-assistant-experience).
You can wrap access ticket generation in your own self-service portal or send ticket URLs directly to customer admins through email, chat, or other communication channels.
@@ -515,7 +527,7 @@ In response, a `202 Accepted` is returned.
### APIs
-To manage Self-Service SSO, the following [Management API](https://auth0.com/docs/api/management/v2/introduction) endpoints are available:
+To manage Self-Service Enterprise Configuration, the following [Management API](https://auth0.com/docs/api/management/v2/introduction) endpoints are available:
* [Get self-service profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profiles)
* [Create a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/post-self-service-profiles)
@@ -524,12 +536,12 @@ To manage Self-Service SSO, the following [Management API](https://auth0.com/doc
* [Update a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/patch-self-service-profiles-by-id)
* [Get custom text for a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profile-custom-text)
* [Set custom text for a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/put-self-service-profile-custom-text)
-* [Create an SSO-access ticket to initiate the self-service SSO flow](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket)
-* [Revoke an SSO access ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-revoke)
+* [Create an access ticket to initiate the self-service enterprise configuration flow](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket)
+* [Revoke a self-service access ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-revoke)
-### Rate Limits
+### Rate limits
-When using Self-Service SSO, the following rate limits apply:
+When using Self-Service Enterprise Configuration, the following rate limits apply:
| Description | Endpoint | Limits |
| --- | --- | --- |
diff --git a/main/docs/authenticate/enterprise-connections/user-attribute-profile.mdx b/main/docs/authenticate/enterprise-connections/user-attribute-profile.mdx
index 7381270f28..77fd5f4640 100644
--- a/main/docs/authenticate/enterprise-connections/user-attribute-profile.mdx
+++ b/main/docs/authenticate/enterprise-connections/user-attribute-profile.mdx
@@ -5,10 +5,10 @@ title: User Attribute Profile
---
-User Attribute Profile with Self-Service SSO is currently in Early Access for B2B Professional and B2B Enterprise customers. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0 release stages, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages).
+User Attribute Profile with Self-Service Enterprise Configuration is currently in Early Access for B2B Professional and B2B Enterprise customers. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0 release stages, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages).
-The User Attribute Profile (UAP) provides a consistent way to define, manage, and map user attributes across protocols such as [SCIM](/docs/authenticate/protocols/scim), [SAML](/docs/authenticate/protocols/saml), and [OIDC](/docs/authenticate/login/oidc-conformant-authentication). UAP with [Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-SSO) gives administrators greater control over user identity data by defining user attributes and applying the profile across authentication protocols.
+The User Attribute Profile (UAP) provides a consistent way to define, manage, and map user attributes across protocols such as [SCIM](/docs/authenticate/protocols/scim), [SAML](/docs/authenticate/protocols/saml), and [OIDC](/docs/authenticate/login/oidc-conformant-authentication). UAP with [Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-config) gives administrators greater control over user identity data by defining user attributes and applying the profile across authentication protocols.
## How it works
* **Profile Definition**
@@ -18,7 +18,7 @@ An administrator creates a User Attribute Profile to define attributes, includin
* How attributes map to Auth0 and external identity systems
* **Flexible Scope**
-Profiles are linked to Self-Service SSO flows but are designed for provisioning, onboarding, and entitlement management.
+Profiles are linked to Self-Service Enterprise Configuration flows but are designed for provisioning, onboarding, and entitlement management.
* **Unified Mapping Layer**
Each attribute supports mappings across authentication protocols with the option to override values for specific providers or connection strategies, such as Okta and Entra ID.
@@ -129,10 +129,10 @@ Each override defines protocol-specific mappings that replace the defaults defin
## Create a User Attribute Profile
-You can define a UAP through Self-Service SSO using the Auth0 Dashboard or the Management API. Currently, it can be configured through the Self-Service SSO experience.
+You can define a UAP through Self-Service Enterprise Configuration using the Auth0 Dashboard or the Management API. Currently, it can be configured through the Self-Service Enterprise Configuration experience.
### Configure with Auth0 Dashboard
-1. Navigate to [**Authentication > Enterprise > Self-Service SSO**](http://manage.auth0.com/*/connections/enterprise/self-service-profiles).
+1. Navigate to [**Authentication > Enterprise > Self-Service Enterprise Configuration**](http://manage.auth0.com/*/connections/enterprise/self-service-profiles).
2. Select **+Create Profile**.
3. Provide a **Name** and optional **Description** for the new profile.
4. Add a User Attribute Profile entry by either selecting an existing profile or choosing **+Create New**.
@@ -153,7 +153,7 @@ To manage User Attribute Profiles, the following [Management API](https://auth0.
* `GET` `/api/v2/user-attribute-profiles/templates/{id}`
## Learn more
-* [Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-SSO)
+* [Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-config)
* [Configure PKCE and Claim Mapping for OIDC Connections](/docs/authenticate/identity-providers/enterprise-identity-providers/configure-pkce-claim-mapping-for-oidc)
* [Map SAML Attributes with Auth0 as IdP/SAML Add-on](/docs/authenticate/protocols/saml/saml-configuration/saml-attribute-mapping-examples)
* [Map AD/LDAP Profile Attributes to Auth0 User Profile](/docs/authenticate/protocols/saml/saml-configuration/saml-attribute-mapping-examples)
\ No newline at end of file
diff --git a/main/docs/fr-ca/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso.mdx b/main/docs/fr-ca/authenticate/enterprise-connections/self-service-SSO/manage-self-service-enterprise-config.mdx
similarity index 100%
rename from main/docs/fr-ca/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso.mdx
rename to main/docs/fr-ca/authenticate/enterprise-connections/self-service-SSO/manage-self-service-enterprise-config.mdx
diff --git a/main/docs/fr-ca/authenticate/enterprise-connections/self-service-SSO.mdx b/main/docs/fr-ca/authenticate/enterprise-connections/self-service-enterprise-config.mdx
similarity index 100%
rename from main/docs/fr-ca/authenticate/enterprise-connections/self-service-SSO.mdx
rename to main/docs/fr-ca/authenticate/enterprise-connections/self-service-enterprise-config.mdx
diff --git a/main/docs/get-started/universal-components/my-organization/build-delegated-admin.mdx b/main/docs/get-started/universal-components/my-organization/build-delegated-admin.mdx
index 63b38fa221..4065fbbb79 100644
--- a/main/docs/get-started/universal-components/my-organization/build-delegated-admin.mdx
+++ b/main/docs/get-started/universal-components/my-organization/build-delegated-admin.mdx
@@ -8,7 +8,7 @@ Universal Components allows you to build a self-service administrative dashboard
## How it works
-Universal Components leverages the [My Organization API](/docs/api/myorganization), which operates on user-scoped tokens, to create a [Self-Service SSO Administrative Dashboard](/docs/authenticate/enterprise-connections/self-service-SSO). When an administrator logs into your dashboard embedded in your application, the Auth0 SDK retrieves an Access Token containing Organization-specific scopes for admin privileges. The components use this token to call the API as the logged-in user, ensuring delegated administrators can only modify the specific Auth0 Organization to which they belong.
+Universal Components leverages the [My Organization API](/docs/api/myorganization), which operates on user-scoped tokens, to create a [Self-Service SSO Administrative Dashboard](/docs/authenticate/enterprise-connections/self-service-enterprise-config). When an administrator logs into your dashboard embedded in your application, the Auth0 SDK retrieves an Access Token containing Organization-specific scopes for admin privileges. The components use this token to call the API as the logged-in user, ensuring delegated administrators can only modify the specific Auth0 Organization to which they belong.
### Available components
diff --git a/main/docs/get-started/universal-components/my-organization/domain-management/configure-org-domains.mdx b/main/docs/get-started/universal-components/my-organization/domain-management/configure-org-domains.mdx
index f749546d6a..e652e8e3a4 100644
--- a/main/docs/get-started/universal-components/my-organization/domain-management/configure-org-domains.mdx
+++ b/main/docs/get-started/universal-components/my-organization/domain-management/configure-org-domains.mdx
@@ -7,7 +7,7 @@ description: Learn how to manage verified and pending Organization domains in a
import Spinner from "/snippets/Spinner.jsx";
import { ComponentLoader } from "/snippets/ComponentLoader.jsx";
-The `DomainTable` component provides a unified interface for your customers to manage their Auth0 Organization's email domain. By verifying domain ownership, Organization administrators enable critical B2B features like [Home Realm Discovery (HRD)](/docs/authenticate/enterprise-connections/self-service-SSO/manage-self-service-sso#email-domain-verification-and-pre-verified-domains) and ensure users are automatically routed to the correct SSO provider based on their email suffix (e.g., `user@acme.com`).
+The `DomainTable` component provides a unified interface for your customers to manage their Auth0 Organization's email domain. By verifying domain ownership, Organization administrators enable critical B2B features like [Home Realm Discovery (HRD)](/docs/authenticate/enterprise-connections/self-service-enterprise-config/manage-self-service-enterprise-config#email-domain-verification-and-pre-verified-domains) and ensure users are automatically routed to the correct SSO provider based on their email suffix (e.g., `user@acme.com`).
-In a production environment, you configure each of your enterprise customers once to federate it with your Auth0 tenant. Auth0 will add support for [Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-SSO) in later versions, enabling you to delegate XAA configuration to your enterprise customers as part of SSO setup.
+In a production environment, you configure each of your enterprise customers once to federate it with your Auth0 tenant. Auth0 will add support for [Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-enterprise-config) in later versions, enabling you to delegate XAA configuration to your enterprise customers as part of SSO setup.