Skip to content
IAM Day by Day

Auth0 Enterprise Connections

The Sovereign Bridge to the Enterprise

Section titled “The Sovereign Bridge to the Enterprise”

Enterprise Connections are the “Sovereign Bridge” of the Auth0 ecosystem. They allow you to federate authentication to your customer’s or partner’s own Identity Provider (IdP). Instead of creating local accounts for every employee of a B2B partner, you choose the account they already own—in Active Directory (ADFS), Okta, Azure AD, or a custom SAML system. When a partner logs in, Auth0 acts as a bridge, translating their corporate identity into your application’s format. For the IAM architect, Enterprise Connections are the engine of B2B Scale, enabling you to onboard entire organizations with a single configuration.

ENTERPRISE CONN

Federation Sovereign
Core Mission
B2B Trust Federation. Establishing a scalable, standards-based framework for connecting external identities from partner organizations while maintaining centralized control over application access and attribute mapping.
Like a Corporate VIP Gateway: Imagine you are running a business center (Your App). A big partner company arrives with 1000 employees. Instead of checking every person's ID and giving them a new building badge, you build a "Sovereign Gateway" specifically for them. When an employee shows their partner company ID (Azure AD/Okta), the gateway recognizes it instantly and lets them in. Your business center trusts the partner's "Sovereign Authority" to verify their own people, and you focus on which meeting rooms they can book.
SaaS B2B Tenancy / Partner SSO / Active Directory (ADFS) Sync / Cross-Cloud Federation

The Enterprise Federation Matrix

Section titled “The Enterprise Federation Matrix”

Designing for enterprise connections requires aligning the partner’s technology with your federation requirements.

Strategic Connection Profiles

Section titled “Strategic Connection Profiles”
ProfileStrategic ResponsibilityIAM Implementation
Azure AD / MicrosoftWorkforce Standard.Specialized OIDC connector for frictionless integration with Microsoft Entra ID.
SAML (Generic)Legacy & Custom.The Swiss-army knife for connecting to any SAML 2.0 compliant IdP (legacy systems).
Okta / Auth0-to-Auth0Platform-to-Platform.Optimized OIDC connectors for connecting to other specialized IdPs.
AD / LDAP ConnectorGround-to-Cloud.Using the “Auth0 AD Connector” agent to bridge on-premise AD to your cloud tenant.

The Enterprise Handshake Flow

Section titled “The Enterprise Handshake Flow”

An enterprise login is a three-way “Federation Triangle” between the user, their IdP, and Auth0.

graph LR
    User[Enter Email Domain] --> Broker[Auth0: Enterprise Broker]
    Broker --> Partner[Partner IdP: Auth & MFA]
    Partner --> App[Return to Auth0 -> Issue Token]
1

Home Realm Discovery (The Domain)

The user arrives at the Universal Login page. They enter their email (e.g. `user@partner-corp.com`). Auth0 identifies the `@partner-corp.com` domain using **Home Realm Discovery (HRD)** and automatically redirects them to the partner's configured Enterprise Connection.

2

The Sovereign External Handshake

The user authenticates at their "Home" IdP (e.g. their corporate Azure AD). Their company's policies, MFA requirements, and security signals apply here. The partner IdP signs a SAML or OIDC assertion and sends it back to the **Auth0 Assertion Consumer Service (ACS)**.

3

Normalized Attribute Mapping

Auth0 receives the assertion and acts as the "Sovereign Translator." It extracts the partner's attributes (Names, Groups, Roles) and maps them into your tenant's unified user profile. It then issues YOUR tenant's token to the application. Your app now has a standard user identity, regardless of the partner IdP's underlying technology.

Technical Enterprise Implementation

Section titled “Technical Enterprise Implementation”

Configuring an Azure AD Enterprise Connection via the Auth0 dashboard is the standard for B2B SaaS.

Azure AD Connection (Conceptual UI)

Section titled “Azure AD Connection (Conceptual UI)”
# Configuring a trusted enterprise connection
Connection_Name: "Partner-Azure-AD"
Strategy: "azure-ad"
Config:
  Domain: "partner-corp.com"
  ClientID: "azure-app-id"
  ClientSecret: "azure-app-secret"
  Identity_API: "Microsoft Graph"
  Mappers:
    - user_attribute: "groups"
      external_claim: "roles"

Enterprise Implementation Guides

Section titled “Enterprise Implementation Guides”

Master the technical ceremonies of B2B federation and cross-organization trust.

Home Realm Discovery

Designing the email-to-connection mapping logic for multi-tenant B2B environments.

Action Mappers

Using Actions to programmatically deny access to specific partner users based on their attributes.

SAML Troubleshooting

Using SAML Tracer to debug XML assertion errors during complex B2B handshakes.

Entra ID Federation

A deep dive into how Microsoft handles federated identities for external organizations.

Next Steps

Section titled “Next Steps”