SSO Setup: Auth0

Auth0 is a developer-focused identity platform that's particularly forgiving for first-time OIDC setups. The free tier covers up to 7,500 monthly active users, which is plenty for most JAMS IMES customer use cases. Setup is ~10 minutes.

Before you start

  • Admin access in your Auth0 tenant (the term "tenant" in Auth0 is what most other IdPs call "organization" β€” your top-level account container in Auth0).
  • Admin access in JAMS IMES.
  • The JAMS IMES Redirect URI from your /integrations/sso page.

If you don't have an Auth0 account yet, sign up at auth0.com. Free tier is fine for evaluation.

Step 1 β€” Pick or create an Auth0 tenant

When you sign up, Auth0 prompts you to create a tenant. Pick a region close to your users; the tenant name shows up in URLs and is hard to change later.

Your tenant's base URL ends up looking like https://<tenant-name>.<region>.auth0.com. Make a note of it β€” that's your Issuer URL later.

Step 2 β€” Create the Application

  1. Sign in at manage.auth0.com.
  2. Left sidebar β†’ Applications β†’ Applications β†’ + Create Application.
  3. Fill in:
    • Name: JAMS IMES
    • Application Type: Regular Web Applications. (NOT Single Page Application β€” JAMS IMES's flow is server-side.)
  4. Click Create.

You land on the application's Quick Start tab. Skip that β€” go to the Settings tab instead.

Step 3 β€” Configure URLs

On the Settings tab, scroll to Application URIs:

FieldValue
Allowed Callback URLsPaste the Redirect URI from JAMS IMES's /integrations/sso page (looks like https://notiphone-.../auth/sso/callback)
Allowed Logout URLsOptional β€” paste your JAMS IMES frontend root if you want logout to redirect back cleanly (e.g. https://notiphone-web-.../login)
Allowed Web OriginsLeave blank unless you have a SPA that calls Auth0 directly. JAMS IMES doesn't need this.

Scroll down further to Application Login URI: leave blank.

Click Save Changes at the bottom.

Step 4 β€” Capture the credentials

Scroll back up to the top of the Settings tab. You'll see:

  • Domain β€” e.g. mycompany.us.auth0.com. This is your Issuer URL with https:// prepended.
  • Client ID β€” long alphanumeric.
  • Client Secret β€” click the eye icon to reveal, then copy.

Stash all three in a password manager.

Tip: Auth0's Client Secret is reset-able (you can generate a new one without re-creating the app) but the old one is invalidated when you do. Plan rotation accordingly.

The Issuer URL for JAMS IMES is:

https://<your-auth0-domain>

For example: https://mycompany.us.auth0.com. No trailing slash, no path suffix.

Step 5 β€” (Optional) Choose your connection / database

By default, Auth0 lets users sign in with a username + password stored in Auth0's database. If you want Workspace, GitHub, GitLab, or social logins instead, configure them under Authentication β†’ Database / Social / Enterprise.

For JAMS IMES, the simplest path is the default Database connection β€” Auth0 stores user credentials, your users sign in with username + password directly to Auth0.

If you want SSO INTO Auth0 (a chained federation, e.g. "log in to Auth0 with my Microsoft account, which logs me into JAMS IMES"), set up an Enterprise connection in Auth0 (SAML, OIDC, AD, etc.) and assign it to the JAMS IMES application. This is a valid pattern but adds complexity. Skip unless you specifically need it.

Step 6 β€” Create users (or import them)

Even with Auth0 set up, the users who'll sign in to JAMS IMES need to exist in Auth0:

  1. Left sidebar β†’ User Management β†’ Users β†’ + Create User.
  2. Enter email, password, connection (pick the Database one if you're using Auth0's default).
  3. Save.

You'll need to do this for each JAMS IMES user, OR import in bulk (Auth0 docs cover CSV import).

Step 7 β€” Configure JAMS IMES

Open JAMS IMES β†’ /integrations/sso. Fill in:

FieldValue
Configuration nameAuth0 (or Auth0 (Production) if you have multiple Auth0 tenants)
Issuer URLhttps://<your-auth0-domain> (e.g. https://mycompany.us.auth0.com)
Client IDfrom Step 4
Client Secretfrom Step 4
Scopesleave default openid profile email
Claim mappingsleave defaults
Enforce SSOleave OFF for first test

Click Save Configuration.

Step 8 β€” Test the flow

  1. Open an incognito window.
  2. /login β†’ email of a JAMS IMES User whose email is also an Auth0 user.
  3. Continue β†’ see Continue with Auth0 button.
  4. Click β†’ Auth0's Universal Login page.
  5. Sign in with username + password (or via the Enterprise connection if configured).
  6. First-time consent prompt β†’ approve.
  7. Lands on JAMS IMES dashboard signed in.

Step 9 β€” (Optional) Enforce SSO

After confirming at least one admin can sign in via Auth0, you can flip Enforce SSO on. See SSO overview for the safety check.

Auth0-specific gotchas

ProblemCauseFix
Error: Callback URL mismatchAllowed Callback URLs in Auth0 doesn't match what JAMS IMES sentMost common issue. Check Auth0's Application URIs β†’ Allowed Callback URLs is exactly the URL JAMS IMES shows.
Sign-in works but user_not_provisionedAuth0 user email differs from JAMS IMES user emailAudit both. Email case is fine; aliases or typos aren't.
sso_no_email_claimThe Auth0 user has no email attribute setEither the user record is incomplete or you're using a custom Auth0 connection that doesn't return email by default. Check the user in Auth0's User Management β†’ Profile β†’ email field.
Sign-in succeeds in Auth0 then loops backThe Auth0 application Grant type isn't enabledOpen the Application β†’ scroll to bottom β†’ Advanced Settings β†’ Grant Types β†’ enable Authorization Code.

Rotation + maintenance

  • Client Secret rotation: under Application Settings β†’ scroll to bottom β†’ "Rotate Client Secret." Auth0 generates a new one and invalidates the old. Update JAMS IMES immediately, then test.
  • Auth0 tenant migration: if you move from one Auth0 tenant to another (e.g. consolidating), update the Issuer URL + Client ID + Client Secret in JAMS IMES. Users keep working as long as their emails match between old and new tenants.

What's next