> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.firebolt.io/feedback

```json
{
  "path": "/guides/security/sso/auth0",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

> Learn how to configure Auth0 as your identity provider to work with SSO authentication for Firebolt.

# Auth0

[Auth0](https://auth0.com/) is an identity management platform that provides authentication and authorization services for applications. Auth0 supports implementing secure login systems with authentication methods including single-sign on (SS0).

To integrate Auth0 with Firebolt's platform, you need to configure both an [Auth0 application for Firebolt](#configure-an-auth0-application) and [Firebolt's SSO for Auth0](#configure-firebolt-for-auth0). Detailed instructions can be found in the following sections:

## Configure an Auth0 application

1. Login to your Auth0 Dashboard. If you don't yet have an account with Auth0, you can [sign up](https://auth0.com/signup) to access their services.

2. Select **Applications** from the left navigation panel.

3. Select **Applications** again.

4. Select the **+ Create Application** button.

5. Under **Name**, enter a name for your application.

6. In the dropdown list under **Application Type**, select **Regular Web Application**.

7. Select **Create the Application**.

8. Once your application is created, it will appear under **Applications**. Select the three horizontal dots (...) next to your application's name, and select **Settings** from the dropdown list.

9. Navigate to the **Application URIs** section.

10. In the textbox under **Application Login URI**, enter your Firebolt organization URL address, followed by `/login?`. For example, `https://staging-go.firebolt.io/login?`.

11. In the textbox under **Allowed Callback URLs** field, provide a callback URL with the following format: `https://idp.app.firebolt.io/login/callback?connection=<org_name>-<provider>&organization=<organization_identifier>`. For example, `https://idp.app.firebolt.io/login/callback?connection=firebolt-staging-auth0&organization=org_UJhpsQ5ypXVU8JVB`. The following apply:
    * **`<org_name>`** - the organizational name used to create your Firebolt account referenced in your vanity URL.
    * **`<provider>`** - the provider, `Auth0`.
    * **`<organization_identifier>`** - the unique identifier for your organization in Firebolt. To retrieve your **`<organization_identifier>`**, do the following:

      1. Login to the [Firebolt Workspace](https://go.firebolt.io/signup).
      2. Select the **Configure** icon (<img src="https://mintcdn.com/firebolt/LtHVeTPldSybs7Fs/assets/images/configure-icon.png?fit=max&auto=format&n=LtHVeTPldSybs7Fs&q=85&s=87fd30b45fb4e5ce812a41b9bf13767c" alt="The Firebolt Configure Space icon." style={{"display": "inline", "margin-bottom": "0", "margin-top": "0", "width": "20px"}} width="52" height="52" data-path="assets/images/configure-icon.png" />).
      3. Select **SSO** from the left navigation pane.
      4. Select **Copy organization SSO identifier**.

12. Save the configuration.

13. Select the **Addons** tab at the top of the application work area.

14. Toggle **SAML2 WEB APP**.

15. In the **Usage** tab, do the following:
    1. Copy the `Identity Provider Login URL` and save for the following Firebolt configuration step.
    2. Note the **Issuer** for the following Firebolt configuration step.
    3. Select **Download Auth0 certificate**. These are needed to configuring Firebolt to work with the Auth0 IdP.

16. Select the **Settings** tab.

17. Select **Enable** to enable the SSO using SAML2.0 on the IdP. You are now ready to configure Firebolt to use Auth0 as your IdP.

## Configure Firebolt for Auth0

Once your Identity Provider(IdP) is configured, you can now configure Firebolt to integrate with Auth0 either using SQL scripts in the **Develop Space** or through the user interface (UI) in the **Configure Space**.

### Configure Firebolt to integrate with Auth0 using the UI

1. Login to the [Firebolt Workspace](https://go.firebolt.io/signup).
2. Select the **Configure** icon (<img src="https://mintcdn.com/firebolt/LtHVeTPldSybs7Fs/assets/images/configure-icon.png?fit=max&auto=format&n=LtHVeTPldSybs7Fs&q=85&s=87fd30b45fb4e5ce812a41b9bf13767c" alt="The Firebolt Configure Space icon." style={{"display": "inline", "margin-bottom": "0", "margin-top": "0", "width": "20px"}} width="52" height="52" data-path="assets/images/configure-icon.png" />).
3. Select **SSO** from the left navigation pane.
4. Under **Configure SSO for your organization**, enter the following:

   1. **Sign-on URL** - Enter the sign-on URL, provided by the SAML identity provider, where Firebolt will send SAML requests. The URL is specific to the IdP and is defined during configuration. For Auth0, this value corresponds to the Identity Provider Login URL value copied in **Step 15** of the [Auth0 application configuration](#configure-an-auth0-application).
   2. **Issuer** - A unique value generated by the SAML identity provider specifying the issuer value. The issuer corresponds to the **Issuer** value noted in **Step 15** of the [Auth0 application configuration](#configure-an-auth0-application).
   3. **Provider** - The provider's name, `Auth0`.
   4. **Label**: The label to use for the SSO login button. You can use any label name. If the label is not provided, Firebolt uses the value in the **Provider** field.
   5. (Optional) **Sign-out URL** - An endpoint provided by Auth0 that facilitates the logout process by redirecting the user to this URL, ending their session.
   6. **Signing certificate** - A digital certificate used to verify the authenticity of a signature used to communication between Auth0 and Firebolt. The certificate must be in Privacy Enhanced Mail (PEM) or CER format, and can be uploaded from your computer by selecting **Import certificate** or entered in the text box under **Signing certificate**.
   7. **Field mapping** - A mapping used to match user attributes between Auth0 and Firebolt. Enter the **First name** and **Last name** in your Auth0 profile.  Mapping is only required the first time a user logs in using SSO.
   8. Select **Update changes**.

### Configure Firebolt to integrate with Auth0 using SQL

Login to Firebolt’s [Workspace](https://go.firebolt.io/login). If you haven’t yet registered with Firebolt, see [Get Started](/guides/getting-started). If you encounter any issues, reach out to [support@firebolt.io](mailto:support@firebolt.io) for help. Then, do the following:

1. Select the Develop icon (**\</>**).
2. By default, when you login to **Firebolt’s Workspace** for the first time, Firebolt creates a tab in the **Develop Space** called **Script 1**. The following apply:
   * The database that Script 1 will run using is located directly below the tab name. If you want to change the database, select another database from the drop-down list.
   * An engine must be running to process the script in a selected tab. The name and status of the engine that Script 1 uses for computation is located to the right of the current selected database.
3. Select system from the drop-down arrow next to the engine name. The system engine is always running, and you can use it to create a service account. You can also use an engine that you create.
4. Use the syntax in the following example code to create an SSO connection in the **SQL Script Editor**:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
ALTER ORGANIZATION vsko SET SSO = '{
  "signOnUrl": "https://dev-1234567890123456.us.auth0.com/samlp/123456789012345678901234567890123",
  "signoutURL": "http://your-sign-out-URL",
  "issuer": "auth0",
  "provider": "auth0",
  "label": "Auth0 Company IdP",
  "fieldMapping": {
    "given_name": "name",
    "family_name": "surname"
  },
  "certificate": "<certificate>"
}';
```

In the previous code example, the following apply:

* `signOnUrl`- The sign-on URL, provided by the SAML identity provider, where Firebolt will send SAML requests. The URL is specific to the IdP and is defined during configuration. For Auth0, this value corresponds to the Identity Provider Login URL value copied in **Step 15** of the [Auth0 application configuration](#configure-an-auth0-application).
* (Optional)`signoutUrl`- An endpoint provided by Auth0 that facilitates the logout process by redirecting the user to this URL, ending their session.
* `issuer` - A unique value generated by the SAML identity provider specifying the issuer value. The issuer corresponds to the **Issuer** value noted in **Step 15** of the [Auth0 application configuration](#configure-an-auth0-application).
* `provider` - The provider's name, `Auth0`.
* `label` - The label to use for the SSO login button. You can use any label name. If the label is not provided, Firebolt uses the value in the **Provider** field.
* `certificate` - A digital certificate used to verify the authenticity of a signature used to communication between Auth0 and Firebolt. The certificate must be in Privacy Enhanced Mail (PEM) or CER format.
* `field mapping` - A mapping used to match user attributes between Auth0 and Firebolt. Enter the first name and surname in your Auth0 profile.  Mapping is only required the first time a user logs in using SSO.