> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sprig.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth0

To enable SSO with Auth0, complete the following:

1. Contact [support@sprig.com](mailto:sso@sprig.com) to claim the email domain(s) that your SSO users will use to sign in.
2. Log into your Sprig account and navigate to **Settings >** [**Single Sign-On**](https://app.sprig.com/settings/sso).
3. Select the **SSO Enabled** option, and click **Save**.
4. An **Important Values** section should appear. Copy the value of the **Entity URI** field into the **Issuer URL** field in the **Your Identity Provider** section, and click **Save**. Take note of the Entity URI and the ACS URL values provided. You will use them to configure your Auth0 integration in later steps.
5. Log into your Auth0 admin account. Navigate to the Applications page and click "Create Application."

<img align="center" src="https://mintcdn.com/sprig/IibAYOcivdkTylH0/images/4c78c0dbf9d4b7f3eebe487938d64f9a4d7a91472cead64718b35f5589250a87-Screenshot_2026-01-28_at_10.02.29_AM.png?fit=max&auto=format&n=IibAYOcivdkTylH0&q=85&s=90a432f477188089fffa1285a0203a45" width="2870" height="278" data-path="images/4c78c0dbf9d4b7f3eebe487938d64f9a4d7a91472cead64718b35f5589250a87-Screenshot_2026-01-28_at_10.02.29_AM.png" />

6. In the "Name" field, enter "Sprig" or whatever you would like the application to be called, select "Single Page Web Application and click Create.

<img align="center" src="https://mintcdn.com/sprig/_1uWncsTBTa1sJbM/images/ed5a6c5ded0b63ec4a160c3cb9178a6cb11d5725d7f9ef519665d1ed31ad2a83-Screenshot_2026-01-28_at_10.02.50_AM.png?fit=max&auto=format&n=_1uWncsTBTa1sJbM&q=85&s=e65feaf26dd6c15ebb418303693cbd6c" width="1620" height="1462" data-path="images/ed5a6c5ded0b63ec4a160c3cb9178a6cb11d5725d7f9ef519665d1ed31ad2a83-Screenshot_2026-01-28_at_10.02.50_AM.png" />

7. Navigate to the Addons tab and click "SAML2 WEB APP."

<img align="center" src="https://mintcdn.com/sprig/_1uWncsTBTa1sJbM/images/bf823e366d14d7a39338528e5fa434533ec8545c051332f29b1c18801e861e69-Screenshot_2026-01-28_at_10.04.20_AM.png?fit=max&auto=format&n=_1uWncsTBTa1sJbM&q=85&s=14370c7b6e931c4e4b04f42958b38ced" width="2014" height="766" data-path="images/bf823e366d14d7a39338528e5fa434533ec8545c051332f29b1c18801e861e69-Screenshot_2026-01-28_at_10.04.20_AM.png" />

8. On the Usage tab:
   1. Copy the Issuer value and paste it into the Issuer URL field in the Sprig dashboard.
   2. Copy the Identity Provider Login URL value and paste it into the Entry Point URL field in the Sprig dashboard.

<img align="center" src="https://mintcdn.com/sprig/8rOBJC6NeyY76ru8/images/99c5d9f86b43767d4c5a376d74d6c68681a5a16d20419d26b8a613efe0c41b5a-Screenshot_2026-01-28_at_10.06.44_AM.png?fit=max&auto=format&n=8rOBJC6NeyY76ru8&q=85&s=5ce928aa794de2a232c5e8da256e86d2" width="1320" height="1486" data-path="images/99c5d9f86b43767d4c5a376d74d6c68681a5a16d20419d26b8a613efe0c41b5a-Screenshot_2026-01-28_at_10.06.44_AM.png" />

<img align="center" src="https://mintcdn.com/sprig/IibAYOcivdkTylH0/images/4ef4c6075680e92c3a7830c30a565bb008757b1a76e5de763e1c545974808dfd-Screenshot_2026-01-30_at_3.01.08_PM.png?fit=max&auto=format&n=IibAYOcivdkTylH0&q=85&s=da9c59d618c2db0017c84df6014101c7" width="1964" height="686" data-path="images/4ef4c6075680e92c3a7830c30a565bb008757b1a76e5de763e1c545974808dfd-Screenshot_2026-01-30_at_3.01.08_PM.png" />

9. Copy the ACS URL from the Sprig dashboard and paste it into the Application Callback URL field on the Settings tab in the Auth0 admin account.

<img align="center" src="https://mintcdn.com/sprig/_ephcOEAcdx-CRO7/images/0c6aa981fea1d503a79c5bd7744a012b7ce6730c82c350659e095109427f8f7e-Screenshot_2026-01-30_at_3.11.01_PM.png?fit=max&auto=format&n=_ephcOEAcdx-CRO7&q=85&s=104a4bcbffe5bc671dfac9ad0e40d718" width="1222" height="592" data-path="images/0c6aa981fea1d503a79c5bd7744a012b7ce6730c82c350659e095109427f8f7e-Screenshot_2026-01-30_at_3.11.01_PM.png" />

10. In the Settings field, replace the default payload with the following, filling in the `recipient` and `destination` values with the ACS URL. At the bottom of the modal, click Enable.

```
{
  "audience": "https://app.userleap.com/saml", // Entity URI
  "recipient": "", // ACS URL
  "destination": "", // ACS URL
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "signatureAlgorithm": "rsa-sha256",
  "mapUnknownClaimsAsIs": true,
  "includeAnyClaimInAssertion": false,
  "mappings": {
    "name": "name"
  }
}
```

<img align="center" src="https://mintcdn.com/sprig/IibAYOcivdkTylH0/images/3cc16209e6b956821fcb7e9bc73ee29b50b6faa0a0d9e9b577165971861fb2a2-Screenshot_2026-01-30_at_3.36.12_PM.png?fit=max&auto=format&n=IibAYOcivdkTylH0&q=85&s=f98b1b7da8cf42399099603f8bcf2de9" width="1198" height="840" data-path="images/3cc16209e6b956821fcb7e9bc73ee29b50b6faa0a0d9e9b577165971861fb2a2-Screenshot_2026-01-30_at_3.36.12_PM.png" />

11. Click on Settings > Advanced Settings > Certificates.
    1. Copy the contents of the Signing Certificate, paste it into the X.509 Certificate field in the Sprig dashboard, and click Save.

<img align="center" src="https://mintcdn.com/sprig/_1uWncsTBTa1sJbM/images/c824be496c144861a647bb91386d6e53321d0a564e03f319ee1115d7664930d2-Screenshot_2026-01-30_at_3.49.54_PM.png?fit=max&auto=format&n=_1uWncsTBTa1sJbM&q=85&s=1072dca574de9a919abf2c1a5c1888c0" width="1922" height="1462" data-path="images/c824be496c144861a647bb91386d6e53321d0a564e03f319ee1115d7664930d2-Screenshot_2026-01-30_at_3.49.54_PM.png" />

<img align="center" src="https://mintcdn.com/sprig/IibAYOcivdkTylH0/images/4d2f7774c30a11f1fd99bf5ef05e68e4d988c9a20d77453ad9c5ba91f5b496dc-Screenshot_2026-01-15_at_3.21.24_PM.png?fit=max&auto=format&n=IibAYOcivdkTylH0&q=85&s=7cb301710ca33f9793cd7c2fee942b24" width="1582" height="1532" data-path="images/4d2f7774c30a11f1fd99bf5ef05e68e4d988c9a20d77453ad9c5ba91f5b496dc-Screenshot_2026-01-15_at_3.21.24_PM.png" />

12. At the top of the Application page, copy the Client ID. It will be used in step 14.

<img align="center" src="https://mintcdn.com/sprig/IibAYOcivdkTylH0/images/6fef714e18be3f06a8ddb3705e23d64eac664dd1006ee1c840f1cc92bc3ef4d7-Screenshot_2026-02-02_at_8.33.49_AM.png?fit=max&auto=format&n=IibAYOcivdkTylH0&q=85&s=a0fa572718368e2de55bc8355cf69e6f" width="2096" height="864" data-path="images/6fef714e18be3f06a8ddb3705e23d64eac664dd1006ee1c840f1cc92bc3ef4d7-Screenshot_2026-02-02_at_8.33.49_AM.png" />

13. In the left-hand sidebar, click on Actions > Triggers > post-login > Create Action.
    1. In the "Name" field, enter "Map SAML Attributes" or whatever you would like the action to be called.
    2. Trigger should already be populated with "Login / Post Login."
    3. For Runtime, choose "Node 22." Click Create.

<img align="center" src="https://mintcdn.com/sprig/_1uWncsTBTa1sJbM/images/d2bce5e3b27c88e943edf421c35e47787cac9427b65646274e76f7a78786520c-Screenshot_2026-01-28_at_10.43.01_AM.png?fit=max&auto=format&n=_1uWncsTBTa1sJbM&q=85&s=d2d3da3aae7d458bfa934a86da3eb780" width="2588" height="1010" data-path="images/d2bce5e3b27c88e943edf421c35e47787cac9427b65646274e76f7a78786520c-Screenshot_2026-01-28_at_10.43.01_AM.png" />

<img align="center" src="https://mintcdn.com/sprig/_ephcOEAcdx-CRO7/images/17aec0de20ff65823727a9c1b59dd27c908bb6b02ce4bff5e9c05cf11713f983-Screenshot_2026-01-28_at_10.47.54_AM.png?fit=max&auto=format&n=_ephcOEAcdx-CRO7&q=85&s=6cbd7877f0159ce44713090782e8a7a8" width="2070" height="976" data-path="images/17aec0de20ff65823727a9c1b59dd27c908bb6b02ce4bff5e9c05cf11713f983-Screenshot_2026-01-28_at_10.47.54_AM.png" />

<img align="center" src="https://mintcdn.com/sprig/_ephcOEAcdx-CRO7/images/2cbebf2683c42ec4e2bee6e8972c5642aa83de3e422c82a685f184844474b570-Screenshot_2026-01-28_at_10.48.15_AM.png?fit=max&auto=format&n=_ephcOEAcdx-CRO7&q=85&s=4265adc53a2657eda6436e29dd25bc97" width="924" height="1018" data-path="images/2cbebf2683c42ec4e2bee6e8972c5642aa83de3e422c82a685f184844474b570-Screenshot_2026-01-28_at_10.48.15_AM.png" />

14. In the new action, paste the following code into the code editor. Make sure to replace `CLIENT_ID` with the Client ID from step 12. Click Deploy.

```
exports.onExecutePostLogin = async (event, api) => {
  if (event.client.client_id === 'CLIENT_ID') {

    // Get name
    const fullName = event.user.name || "";

    // Get role from metadata
    let userRole = (event.user.app_metadata && event.user.app_metadata.role) 
                   ? event.user.app_metadata.role 
                   : 'viewer';

    // Set name and role attributes to be mapped to Sprig
    api.samlResponse.setAttribute('name', fullName);
    api.samlResponse.setAttribute('role', userRole.toLowerCase());
  }
};
```

<img align="center" src="https://mintcdn.com/sprig/IibAYOcivdkTylH0/images/78e6680f968c041ebfd7f6ee3c897379de55ebcf85392062c7294cff094640c4-Screenshot_2026-02-02_at_9.50.15_AM.png?fit=max&auto=format&n=IibAYOcivdkTylH0&q=85&s=90c7ea73bb9a2178a7b5390d616ace85" width="2038" height="1260" data-path="images/78e6680f968c041ebfd7f6ee3c897379de55ebcf85392062c7294cff094640c4-Screenshot_2026-02-02_at_9.50.15_AM.png" />

15. Now that the SSO integration is set up, a `role` will need to be added to the profile of users who will use SSO to login to Sprig. If a role is not added to a user, it will default to `viewer` when they login for the first time. The available roles are `admin`, `developer`, `editor`, `editor-lite`, and `viewer`. For more information about the access permissions associated with each role, see our documentation on [Member Permissions](/docs/account-and-settings/team-management-roles/roles-permissions).
    1. To add a role to a user, click on User Management > Users and click on a particular user. Under "App Metadata (app\_metadata)," enter the role as follows:

<img align="center" src="https://mintcdn.com/sprig/_1uWncsTBTa1sJbM/images/f166523b3ec2428443319cb78e5096a1fd59f14f77386754e3f56ca1fc4b8b8c-Screenshot_2026-01-30_at_12.22.29_PM.png?fit=max&auto=format&n=_1uWncsTBTa1sJbM&q=85&s=ef508f0a5798d3742d5b5b617549ce91" width="1950" height="934" data-path="images/f166523b3ec2428443319cb78e5096a1fd59f14f77386754e3f56ca1fc4b8b8c-Screenshot_2026-01-30_at_12.22.29_PM.png" />

<Warning>
  When using the Auth0 SSO integration, Sprig member permissions are controlled by Auth0. Any role changes will need to be made within the Auth0 admin account.
</Warning>

Users that are assigned to the Auth0 application integration will now be able to sign in using the Sprig [SSO login page](https://app.sprig.com/login/sso).