How to configure Auth0 SAML SSO

 Auth0 SAML SSO features

• Identity Provider Initiated SSO (IdP-initiated) 

• Service Provider Initiated SSO (SP-initiated)

• Just-in-Time (JIT) user creation is not supported. You can provision users via SCIM on Calendly’s Enterprise plan.

• SAML SSO is only available on Calendly’s Enterprise plan. To learn more, contact your Account Executive or Calendly Sales.

• To configure SAML SSO, you must be a Calendly owner or admin.

• You must use the same email address in Calendly and Auth0.

• During setup, you’ll switch between Calendly and Auth0. It’s best to keep each platform open in a separate browser window.

1. Go to the Calendly single sign-on configuration page

From any Calendly page, select Account, Organization Settings, then Single sign-on.

2. Create a Calendly application in Auth0 

1. In a new window, log in to Auth0.
2. Select Applications.
3. In the drop down menu, select Applications.
4. Select Create Application.
5. In the Name field, enter "Calendly".
6. At Choose application type, select Regular Web Applications.
7. Select Create.
8. Select Settings.
9. Scroll to the bottom and select Advanced Settings.
10. Select Grant Types.
11. Deselect all selections. (Note: You won't be using OAuth2, so none of the selections are needed for this Auth0 application.)
12. Select Save Changes.

3. Add Auth0 details to Calendly

1. Scroll back to the top of the page and select Addons.
2. Select SAML2 Web App.
3. Copy the Issuer ID in Auth0 and paste it into the Entity ID field in Calendly.
4. In Auth0, copy the Identity Provider Login URL and paste it into the Identity provider's SAML HTTP Request URL field in Calendly.
5. In Auth0, at Identity Provider Certificate, select Download Auth0 certificate.
6. In Calendly, select Upload certificate. Locate and enter the certificate downloaded from Auth0.
7. At Session duration, set the appropriate value for your organization's security policies.
8. Select Save & continue.

4. Add Calendly details to Auth0

1. In Auth0, select Settings.
2. In Calendly, copy the ACS URL and paste it into the Application Callback URL field in Auth0.
3. Copy the following JSON and paste it into the Settings field in Auth0:
   

   { "audience": "{Audience URL}", "mappings": { "given_name": "firstName", "family_name": "lastName", "email": "email" }, "passthroughClaimsWithNoMapping": false, "mapUnknownClaimsAsIs": true, "signatureAlgorithm": "rsa-sha256", "digestAlgorithm": "sha256", "signResponse": true, "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ] }

   
4. In Calendly, copy the Audience URL.
5. In Auth0, in the JSON in the Settings field, replace {Audience URL}with the Audience URL value you copied from Calendly in step 4.
6. Select Enable. When you see the success message, close the modal.

5. Create a rule in Auth0

1. In Auth0, copy the Client ID and paste it somewhere safe for later use.
2. In the lefthand sidebar click Actions > Flows.
3. Select the Login flow type In the righthand sidebar select + then Build Custom.
4. In the dialog enter "Calendly SAML" for the Name.
5. Select Create.
6. Delete the existing code and copy and paste the code below editor.

   • /** * Handler that will be called during the execution of a PostLogin flow. * * @param {Event} event - Details about the user and the context in which they are logging in. * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login. */ exports.onExecutePostLogin = async (event, api) => { const {client, user} = event if (client.client_id !== '{Client ID}') { return } const name_parts = (user.name || '').split(' ', 3); const given_name = user.given_name || name_parts.at(0); const family_name = user.family_name || name_parts.at(-1); api.idToken.setCustomClaim(`given_name`, given_name); api.idToken.setCustomClaim(`family_name`, family_name); };

7. Replace {Client ID} with the Client ID copied in step 1.
8. Select Save Draft then Deploy.
9. Select Back to Flow.
10. In righthand sidebar click Custom.
11. Drag and drop the Calendly SAML Action into the flow.
12. Select Apply.

6. Test the connection

Note: Before you test the connection, you must be logged in to Calendly and Auth0 with the same email address. 

1. In Calendly, select Test connection. If successful, you'll see a confirmation.

7. Enforce Auth0 SSO for your organization

Note: If your organization has any application restrictions for users, update those rules so the appropriate users can use Calendly.

1. In Calendly, select Enforce SAML SSO for my organization.

Once SSO is enforced, all users will be logged out and will need to use Auth0 SSO to log back in to Calendly. Only the organization owner and admins can log in using their original log in method by selecting Log in using another method on the login page.