Add enterprise SSO on top of your Auth0 setup

Auth0 already powers your authentication. You don’t need to change that.

But now, your customers want SSO. And you want to support it—without jumping through pricing tiers, setting up IdPs by hand, or building tools for IT admins from scratch.

Scalekit helps you add SSO on top of Auth0.

You plug it in once. From there, you can create organizations, configure SSO (SAML or OIDC), test with an IdP simulator, and share a hosted portal with your customers' IT teams. Behind the scenes, Scalekit connects the user back to Auth0—so your existing sessions, users, and flows stay untouched.

In this guide, we’ll show you how to set up Scalekit with Auth0 and go live with your first SSO connection without rewrites, migrations, and surprises.

Where does Scalekit fit in your Auth0 setup?

Scalekit sits in front of your app, just for SSO. You still use Auth0 to manage sessions and user identities. That stays exactly as is.

• The end user lands on your default login page powered by Auth0. Based on domain matching, Auth0 routes the request to Scalekit.
• Scalekit handles the authentication via SAML or OIDC, using the IdP configuration that the customer’s IT admin set up earlier.
• After successful authentication, Scalekit redirects the user to Auth0’s callback URI along with an authorization code.
• Auth0 exchanges this code for a token from Scalekit’s /token endpoint. This token includes user identity, org info, and attributes.
• You use this identity info to:
  • Find and link to an existing Auth0 user
  • Or create a new one in Auth0 via the Management API

From there, you continue the login as usual like starting a session, setting cookies, issuing tokens, etc. All of that still runs through Auth0.

So, in short, Scalekit handles SSO and Auth0 handles sessions.

Before you begin, make sure:

• Make sure your Auth0 plan includes support for enterprise Connections. This is because Auth0 classifies OIDC providers like Scalekit as Enterprise Connections, which are only available on certain paid plans.
• You have the right permissions in Auth0, specifically, you need to be an Admin or have the Editor - Connections role to create or manage Enterprise Connections.
• You have access to your Scalekit dashboard, where you’ll create organizations, configure redirect URIs, and manage SSO integrations.

How Scalekit’s SSO works with your Auth0 setup

Scalekit and Auth0 work together, but they handle different parts of the login flow.

Scalekit is responsible for the SSO handshake with the customer’s IdP. Auth0 still manages user sessions and tokens once the user reaches your app.

Here’s how the pieces connect:

Adding Scalekit to your Auth0 app: A step-by-step guide

1. Add Scalekit as an OIDC connection in Auth0

Scalekit acts as an external OIDC identity provider that connects your customer’s IdP to Auth0.

Grab the required values from your:

• Auth0 tenant settings (for ^{<AUTH0_TENANT_DOMAIN>,} API token)
• Scalekit dashboard → API Config (for ^env_url, ^client_id, ^{client_secret})

2. Set the Redirect URI in Scalekit

Once Auth0 knows how to talk to Scalekit, you need to tell Scalekit where to send users after login.

In your Auth0 dashboard, copy the Callback URL and configure it within Scalekit's dashboard. This ensures users flow cleanly from Scalekit to Auth0 after a successful SSO login.

3. Onboard your first customer org in Scalekit

Now that the connection is ready, set up an actual org that will use SSO.

In Scalekit, create a new organization and share the admin portal link with your customer’s IT team so they can configure their IdP (SAML or OIDC).

Also, you can map a domain to this org so Scalekit can route login requests correctly.

4. Configure home realm discovery in Auth0

This step tells Auth0 when to use the Scalekit connection—based on the user’s email domain.

In Auth0, add the respective email domain so that Auth0 can route those users to Scalekit for an SSO based login.

So, what changes with Scalekit (and what doesn’t)?

Adding Scalekit to your Auth0 setup gives you a clean separation of concerns. Scalekit handles the SSO handshake and identity connection. You stay in control of user profiles and session logic inside Auth0.

What Scalekit handles

• Creating and managing organizations
• Supporting both SAML and OIDC identity providers
• Hosting an admin portal for your customers’ IT teams to configure their IdP
• Handling the full SSO login flow with the IdP
• Redirecting the user to your app after successful authentication
• Issuing a signed token via the ^/token endpoint with identity and org details

What Auth0 handles

• Receiving the authorization code at Auth0’s callback URI
• Auth0 calling Scalekit’s ^/token endpoint to exchange the code for a signed JWT
• Extracting user identity details from the token (like email, subject_id, org)
• Using that identity to:
  • Link to an existing Auth0 user using the Management API, or
  • Create a new user in Auth0 dynamically
• Starting a session with Auth0 using your existing logic

What doesn’t change

• Auth0 continues to manage sessions, tokens, and user profiles
• Your user profile structure in Auth0 stays intact
• Your login flow remains the same

Wrapping up

You’ve now added enterprise SSO to your Auth0 setup—without rebuilding your auth stack.

Scalekit handles the SSO handshake. Your customers configure their own IdPs. And Auth0 continues to manage users and sessions, just like before.

So when the next enterprise customer asks, “Can you support SSO?”, you already do!

👉 Learn more about the Auth0 + Scalekit integration →