MOR-PROC-040 Version 1 last review date: May, 2025
Auth0 Enterprise Connection Management
1. Overview
Auth0 includes functionality that allows for sign-on to occur with the credentials within an external authentication service such as Microsoft's Entra ID. When a user enters their email address, Auth0 will review the domain and where this matches settings, it will re-direct this to the appropriate authentication service.
Depending on the authentication service, there are a number of enterprise connection types than can be configured to enable this process. A common one is SAML, which is utilised for two external clients currently.
2. Enterprise Connection List
| Client | Client Auth Platform | Connection Description | Auth0 Tenancy | Certificate Expiry Date |
|---|---|---|---|---|
| CBC | Entra ID | Azure AD | cbcgroup | |
| Landcom | Entra ID | SAML | cbcgroup | 8 June 2025 |
| I-Med | Entra ID | SAML | cbcgroup | 25 June 2025 |
3. Entra ID SAML Connection
3.1. Create a New Connection
Create Application
- Navigate to the Entra ID admin center
- Click ‘Enterprise applications’
- Click ‘Create your own application’. The ‘Create your own application’ menu will appear.
- Select the ‘Integrate any other application you don't find in the gallery (Non-gallery)’ option.
- Enter a name of ‘CBC CMMS’ or similar
- Click ‘Create’
- https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/AppGalleryBladeV2 (opens in a new tab)
Setup Properties
- Consider the ‘Assignment required?’ option
- You can make the app available to all your users, or you can assign specific users or groups.
- Consider the ‘Visible to users?’ option
- Change the logo (as provided)
Setup SAML
- Click ‘Single sign-on’ on the menu
- Select the ‘SAML’ option
- Under ‘Basic SAML configuration’, click ‘Edit’
- For ‘Identifier (Entity ID)’ enter the Entity ID provided. (See below)
- For ‘Reply URL (Assertion Consumer Service URL’ enter: (Reply URL)
- For ‘Sign on URL’ enter the 'Sign on URL' provided.
- Under ‘SAML Signing Certificate’, click ‘Edit’
- On the certificate line, click the ‘…’ button, then select the ‘PEM certificate download’ option.
- Add ‘cmmssupport@cbcgroup.com.au’ to the ‘Notification email addresses’ list so CBC can be alerted if the certificate expires or becomes invalid.
Provide Data to CBC
- To facilitate transfer of the below, your IT admin can create a Teams group and invite b.marshall@cbcgroup.com.au . Provide the following items:
- PEM certificate file
- Login URL
- Logout URL (if desired)
CBC Provided Values
| Field | |
|---|---|
| Entity ID | (retreive from Auth0 settings) |
| Reply URL | |
| Sign on URL | https://auth.cmms.cbcgroup.com.au (opens in a new tab) |
| Logo |
3.2. Renew a Certificate
Client Comms
Hello (name),
I am emailing in regards to the SAML connection established previously that allows your users to utilise their existing crednetials to sign in to CBC's CMMS.
This connection requires a valid SSL certificate, and we have revieved notice that this ertificate is due to expire on the (date). A new certificate must be created before this time, and a public portion of the certificate provided to CBC before this date so we can update the required settings on our side.
Renewal of the certificate requires an authorised person to access your user authentication platform, (client platform name), and follow the below steps. This will usually be your IT department.
Please note that the steps provided are a guide only and may differ slightly due the platform you use, or changes in the software over time that CBC is not in control of.
Note also that replacing the certificate will break the connection and prevent users signing in to CBC's CMMS until the certificate is updated in our settings. It is therefore important that your IT department coordinate with us so the process is actioned at a low usage time, with the least amount of downtime.
If you have any questions, please feel free to reach out to us.
Process
This Microsoft guide provides a good guide on the process: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on (opens in a new tab)
Sign in to the Azure Portal.
Navigate to Entra ID
Click 'Enterprise applications'.
Click the appropriate Application.
Under 'Manage', click 'Single sign-on'.
In the 'SAML Certificates' section, click 'Edit'.
Click 'New Certificate'
- Follow the steps to create a new certificate.
From the 'Single sign-on' window, in the SAML Certificates section, click 'Download' next to the 'Certificate (Base64)' option.
Provide this securely to CBC.
4. Auth0 SAML Connection
For a SAML connection to work Auth0 needs an appropriate SAML enterprise connection created. These connections require a valid SSL certificate to function. These certificates often have an expiry date, necessitating the update of the certificate before expiry, usually annually.
4.1. Create a Connection in Auth0
This process covers the steps needed to create the Auth0 half of the SAML connection.
4.2. Update a Certificate in Auth0
This process covers the steps needed to update an existing SAML conneciton certificate.
Sign in to Auth0
- Ensure you are in the correct tenancy (usually 'cbcgroup' for Prod)
Navigate to the SAML Connection settings.
- Click 'Authentication'.
- Click 'Enterprise'.
- Click 'SAML'.
- Click the appropriate connection.
Update the certificate
- I think you drag the provided file to the the X509 Signing Certificate section. TBC