# SSO with Auth0
Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator.
1. Navigate to **Settings > SSO** and enable **SAML Single Sign-on**:
2. Copy the **Assertion consumer service (ACS) URL** in the **SAML Single Sign-On Settings** page that appears.. It will be needed as input into Auth0 later.
### Auth0 Walkthrough
\*Auth0 has updated their UI since these screenshots were taken. Consult Auth0 documentation for any changes to Auth0 configuration.\_
1. Navigate to **Applications** and click **Create Application**.
2. Name the application **Netography** and set the application type as **Regular Web Applications**.
3. Under the **Addons** tab, enable **SAML2 WEB APP**.
4. In the modal that appears, under the Settings tab, paste the **Assertion consumer service URL** into the **Application Callback URL** field.
1. Additionally, paste the following code into the **Settings** textarea, replacing the placeholders with the appropriate values. Required mappings:
* Email
* Role
```
{
"logout": {
"callback":
},
"mappings": {
"email": "email",
"nickname": "nickname",
"phone_number": "phone_number",
"picture": "picture",
"role": "role"
},
"createUpnClaim": false,
"passthroughClaimsWithNoMapping": false,
"mapUnknownClaimsAsIs": false,
"mapIdentities": false
}
```
5. Scroll to the bottom of the tab and click **Enable**.
6. On the **Usage** tab, click Download (next to **Identity Provider Metadata**). You'll need to upload this file to Netography as part of the [Post-Configuration steps](https://support.netography.com/hc/en-us/articles/4403544816276)
7. When defining mappings in the SAML2 Web App, attributes from the user profile are expected. Since Auth0's *user\_metadata* is not inherently part of the user profile, these have to be mapped manually. Required mappings are given\_name, family\_name, email and role.
1. Go to **Dashboard > Auth Pipeline > Rules** and click **Create**.
{% hint style="warning" %}
**🚧Rules will be deprecated by 2024 in Auth0. For more information, see migrating from Rules to Actions**
{% endhint %}
7. In the list choose **Enrich Profile > SAML Attributes mapping**.
3. Name the mapping “SAML Attributes mapping” and paste the following code into the **Script** textarea.
````
```
function mapSamlAttributes(user, context, callback) {
context.samlConfiguration.mappings = {
"given\_name": "user\_metadata.given\_name", // required
"family\_name": "user\_metadata.family\_name", // required
"email": "email", // required
"role": "role", // required
"nickname": "nickname", // optional
"phone\_number": "phone\_number", // optional
"picture": "picture" // optional
};
callback(null, user, context);
}
```
````
### Netography Post-Configuration
1. Return to the Netography portal, and upload the **Identity provider metadata** file you downloaded above in the **Provider** section of the **SAML Single Sign-On Settings**.
2. Click Next
3. Now configure the **User attribute mappers** to match the mapper values configured in Auth0 above:
4. Click Next.
5. Next configure the Default user role and role mappers:
1. Default user role: This is the role an IDM-authenticated user will default to if the role mappings are not found in the SAML exchange. For security purposes, we recommend setting this value to "readonly", but you may want to set this to "admin" as you are testing your configuration.
2. Admin role mappers: Configure these according to the screenshot below:
6. Click the **Save** button.
Done! Now your users can log in directly via your identity provider using a new account-specific login URL. The new SSO Login URL can now be found under the **Essentials** settings in the **SAML Single Sign-On Settings** page.
{% hint style="warning" %}
**🚧The default login will still work for your account administrator, which is not bound to your IDM.**
{% endhint %}