---
title: "Unlock Enterprise Readiness: How to Add Self-Service SSO to Your SaaS App"
description: "In this blog, we will add a capability to add Self-service SSO capability to your SaaS application."
authors:
  - name: "Daizen Ikehara"
    url: "https://auth0.com/blog/authors/daizen-ikehara/"
date: "Apr 28, 2025"
category: "Developers,Tutorial,Nodejs"
tags: ["b2b", "saas", "sso", "self-service", "management api"]
url: "https://auth0.com/blog/how-to-add-self-service-sso-to-your-nodejs-saas-app/"
---

# Unlock Enterprise Readiness: How to Add Self-Service SSO to Your SaaS App

As described in a previous [blog post](https://auth0.com/blog/empower-your-enterprise-customers-to-set-up-their-own-sso-implementations/), supporting your business customers’ security standards becomes essential as your SaaS application scales from serving individual users to enterprise organizations. Auth0 [Enterprise Connections](https://auth0.com/docs/authenticate/enterprise-connections) enables seamless integration with external, federated identity providers (IdPs) to meet enterprise Identity and security requirements. While this feature is powerful, it typically requires Auth0 Tenant Admins or Editors to set up each connection individually or demand custom development within your SaaS application to delegate the tasks to customer admins.

[Self-Service Single Sign-On (SSO)](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO) allows B2B SaaS Customers to enable self-service functionality more easily and quickly than before.

Self-service SSO uses the following components to delegate setup to your customers:

1. **Self-service profile**: Defines key elements of customer SSO implementations, such as the identity providers they can use for SSO and which user attributes they must capture, such as email.

2. **Self-service access ticket**: This ticket, provided as a magic URL, grants customer admins access to the SSO setup assistant and sets specific details for their resulting SSO integration. Customer admins can either create a new connection or edit an existing connection.

3. **SSO setup assistant**: Guides customer admins through the SSO setup process.

In this blog post, I'll show you how to set up the feature step by step.

## Set Up Self-Service SSO Feature on the Management Dashboard

First, set up this feature on the Auth0 Management dashboard to understand how it works.

### Create a Self-service profile

On the Auth0 Management dashboard, choose [`Authentication - Enterprise`](https://manage.auth0.com/#/connections/enterprise) in the navigation menu.

![Navigate to enterprise connection](https://images.ctfassets.net/23aumh6u8s0i/5BHvIlNsoOacUMHgy6yCo9/730e1a36187515fb6e57625948241182/navigate-to-enterprise-connection.png)

You will see a list of connections that we support for enterprise. Scrolling to the bottom, you will find the `Self-Service SSO` box. Let's click it.

![Enterprise Connections - Self Service SSO](https://images.ctfassets.net/23aumh6u8s0i/2IeEiZkQY1ijDpWG7k5wox/4572ddb4166480380df8dbea43978a5c/enterprise-connections-self-service-sso.png)

Press `+ Create Profile` to create a new profile.

![Self-Service SSO - Create a profile](https://images.ctfassets.net/23aumh6u8s0i/3KbTZRe9ve9xuVR1R69z4G/a8d78042e3c670f4b6c1740a959bd313/create-self-service-profile.png)

Enter the Name of the profile and Description (optional).

![Self-Service SSO - profile information](https://images.ctfassets.net/23aumh6u8s0i/2lHRcP4tMl7Bm85YLs4upY/0f438bf0d9f069c1c8374ef86e05eb07/self-service-profile-name.png)

In the `Settings` tab, you can select the identity providers that the profile supports.

![Self-Service SSO - seetings](https://images.ctfassets.net/23aumh6u8s0i/5vPhbmy7K7laQGxxApLUU7/299b1b67bfea79c8dd35bbc928958f32/self-service-profile-settings.png)

You can also optionally configure the branding to provide a customized experience. I leave default settings in this post.

![Self-Service SSO - branding](https://images.ctfassets.net/23aumh6u8s0i/7aDnETPoWL8xFLFTbQ8K3U/e69115da740eaf81c4edaa1491a5862d/self-service-profile-branding.png)

If your application requires specific attributes, you can add them in the `User Profile` tab. Customer admins must add these attributes to their identity providers' attributes. Attributes can be email, department, title, and others.

![Self-Service SSO - attributes](https://images.ctfassets.net/23aumh6u8s0i/1tSFkJFF1RQTgQHnBKrQ2w/5ef7983295f38f30b11d50a9e9597092/self-service-profile-attributes.png)

Now, we are ready to generate a ticket for customer admins.

### Generate a Ticket for End-User Admin to Configure SSO

You can generate a ticket for a customer admin to configure SSO by clicking `+ Generate Ticket` on the profile screen.

On the next page, you can set up the ticket to create a new connection or edit an existing one. You must specify the `Connection Name` field to create a new ticket. To edit the connections flow, you must specify the `Connection ID` field instead. You can enter clients ([Auth0 Applications](https://auth0.com/docs/get-started/auth0-overview/create-applications)) in the `Enabled Clients` field and [Organizations](https://auth0.com/docs/manage-users/organizations) in `Enabled organizations` field depending on your SaaS needs. You can also specify other options, too.

![SSO ticket](https://images.ctfassets.net/23aumh6u8s0i/1X2pN37lVg8L5g9AzWkVer/6afdb6e4451ad8c5dafac14c0fa7fbfa/sso-ticket-creation.png)

Once you have set options, click `Create Ticket` at the bottom of the page to generate a ticket. A pop-up window will appear with a URL to set up or edit an SSO connection. You will provide this URL to a customer admin. For security reasons, you should store this URL securely and only share it with authorized individuals.

![Generated Ticket](https://images.ctfassets.net/23aumh6u8s0i/pYCmgMwil68HEQeyf2nx0/7c371af5803c1befe8f5cf93f3bfc4f6/sso-ticket-generated.png)

### Set Up a Self-Service SSO with the Ticket as a Customer Admin

In this step, let’s set up SSO with Google Workspace as a test. Open the generated URL for a ticket in our browser.

On the Identity Provider selection screen, choose Google Workspace and press `Next`.

![SSO Ticket - choose IdP](https://images.ctfassets.net/23aumh6u8s0i/1upHcoVC2hu0ecyZunXlUA/36013086c89c008e7cfdbe49b320ef7d/sso-connection-idp.png)

On the next page, you will find instructions for setting up an OIDC application on the Google Developer Console. Follow the instructions to create an OIDC application.

![SSO Ticket - Create Google Workspace App](https://images.ctfassets.net/23aumh6u8s0i/49VPD5hqN37X75gNnF477c/b43db7800dc3f303c9ca9ccbebba0063/sso-connection-gws-app.png)

After following the instructions, an OAuth client will be created on the Google Developer Console. Copy the `Client ID` and `Client secret` on the popup.

![Google Workspace App](https://images.ctfassets.net/23aumh6u8s0i/2pisP8qxWuboi6BL7eQ1Q7/f5f4a9e04d86f2161d3489b66ed5216e/sso-connection-gws-app-config.png)

In Step 2, Enter `Google Workspace Domain`, `Client ID`, and `Client secret` to configure the connection.

![enter domain, client id, client secret](https://images.ctfassets.net/23aumh6u8s0i/4hKOikb6bnZcgXwUdK7o5L/41d49a8bce18bb5f869e90907d568950/sso-ticket-connection-configure.png)

In Step 3, you can find instructions on the page to grant users or groups access to Auth0 in the Google Admin Console.

![grant users](https://images.ctfassets.net/23aumh6u8s0i/5WF5iGqcDLdyUKO1yAxCHd/8038bc803b74a403b2822e598e4555bd/sso-ticket-gws-grant-access.png)

After you configure everything, you can test SSO in Step 4.

![Test SSO connection](https://images.ctfassets.net/23aumh6u8s0i/1BFjYEJQlfoPiveQfSTUFG/24d96cb6fb8db760066427d7cd8f276e/sso-tciket-connection.png)

If the test goes well, you will see the following screen. Make sure you click the `Done` button to complete. 

![SSO Test result](https://images.ctfassets.net/23aumh6u8s0i/7v1CXo1NaSkrWB2wHYMNgJ/5373122b0f604add5f1d8fa597ced780/sso-ticket-test-completion.png)

### Test the Connection with Auth0

Once the customer admin creates a connection, you can see the connection settings on the Auth0 Management dashboard. Open `Authentication - Enterprise`, and click `Google Workspace`.

You'll notice the connection is listed. You can test the connection by clicking the `Try` option.

![nterprise Connection - Google Workspace](https://images.ctfassets.net/23aumh6u8s0i/7sKRHP9qh1xRkmhtzWHf8I/f1373b693a46ca8977a0130a23922010/enterpriseconnection-gws.png)

If you have configured everything appropriately, a login screen for the Google Workspace account will show up.

![SSO - it works](https://images.ctfassets.net/23aumh6u8s0i/1MdBSBlW4GYyne4IH4xeby/0484e3ef104536bf4328f39a09a313f1/enterprise-connection-test.png)

You have successfully configured an SSO connection using the Self-Service SSO Flow.

In the next section, we will generate a ticket on an application.

## Generate a Ticket in a Node.js Application

In this part, we will implement a feature to generate tickets on the application with the profile we just created on the dashboard. This feature allows customer admins to generate tickets themselves.

As a starting point for following the steps illustrated in this section, you can download a sample Node.js/Express application:

```bash
git clone --branch initial --single-branch https://github.com/neri78/self-service-sso-express.git
```

Follow the instructions in the attached README file to register and configure the application.

In the sample app, once you have signed up as a user and logged in, click Dashboard on the header navigation to open the dashboard page. You will see the following page on the navigation to the Dashboard page. The `Add SSO Connection` button is not functioning at this moment.

![SSO Dashboard - Start](https://images.ctfassets.net/23aumh6u8s0i/1aT1P96Mvj5ZyZedvOalfQ/596ff65b8017d157e2732abd07f2bbb3/sso-dashboard-start.png)

In the following sections, you will:

- Provide access to the Management API for your application
- Generate a ticket for customer Admin to set up an SSO connection.

### Provide access to the Management API for your application

To perform self-service SSO operations from your application, we will register a new application in your Auth0 tenant with access to the Auth0 Management API.

As a first step, access your Auth0 dashboard and register a new Machine-to-Machine application as shown in the following image:

![Auth0 Dashboard - M2M App](https://images.ctfassets.net/23aumh6u8s0i/30T1riISagTm9pNqtj63TK/b42d497c57e8d43d00a643ebdb2cef62/m2m-application.png)

Once you register your application, take note of its domain, client ID, and client secret.

Next, select the Auth0 Management API for your application to authorize.

![Auth0 Dashboard - API access](https://images.ctfassets.net/23aumh6u8s0i/EVYJbyJhI6NW3IxhORr8j/69eec41420da25d26e7dc8b9dd80fbfb/m2m-api.png)

You must select your application's permissions to operate with the API. In this post, we want to retrieve existing self-service SSO profiles and clients and generate a ticket. For those purposes, grant the following permissions:

- read:self_service_profiles
- read:clients
- create:sso_access_tickets

As a general rule, only grant permissions that are strictly necessary for the operations you intend to perform on your tenant.

After enabling permissions, click the `Update` button to apply your changes.

Open the `.env` file in the sample application and find the following environment variables.

```
AUTH0_MANAGEMENT_CLIENT_DOMAIN="YOUR_MANAGEMENT_CLIENT_DOMAIN"
AUTH0_MANAGEMENT_CLIENT_ID="YOUR_MANAGEMENT_CLIENT_ID"
AUTH0_MANAGEMENT_CLIENT_SECRET="YOUR_MANAGEMENT_CLIENT_SECRET"
```

Replace the placeholders `YOUR_MANAGEMENT_CLIENT_DOMAIN`, `YOUR_MANAGEMENT_CLIENT_ID`, `YOUR_MANAGEMENT_CLIENT_SECRET` with the corresponding values of the application you just registered.

### Add Auth0 Node.js Client to Your Application

Your application needs to call the Auth0 Management API to create a ticket. The API allows you to configure your Auth0 tenant via code. We will use the [Node.js client library](https://github.com/auth0/node-auth0) to simplify interacting with the Auth0 Management API. The Node.js client library provides a Management API Client to handle all the management operations.

Let's install the library by the following command:

```bash
npm install auth0
```

Next, we will create a helper module to create an instance of the `ManagementClient` so that the application uses the same instance instead of creating multiple instances every time it interacts with the Auth0 Management API.

Create a `helpers` folder and `auth0ManagementClient.js` file. Then, add the following code.

```javascript
// helpers/auth0ManagementClient.js

// 👇 new code
const { ManagementClient } = require('auth0');

let management = null; 

function getManagementClient() {
  if (!management) {

    // Initialize an instance of the Management API Client
    management = new ManagementClient({
      domain: process.env.AUTH0_MANAGEMENT_CLIENT_DOMAIN,
      clientId: process.env.AUTH0_MANAGEMENT_CLIENT_ID,
      clientSecret: process.env.AUTH0_MANAGEMENT_CLIENT_SECRET,
    });
  }
  return management;
}

module.exports = getManagementClient;
// 👆 new code
```

Every time the `getManagementClient` function is called, it checks an existing instance of `ManagementClient` with the `management` variable and creates a new instance if necessary. When this module is required by another Node.js file for the first time, the entire code is executed, and the exported `getManagementClient` function is cached and returned upon subsequent `require()` calls. 

To use the module, open the `index.js` file in the `routes` folder and import the `getManagementClient` function.

```javascript
// routes/index.js

//...existing code...
var router = require('express').Router();
const { requiresAuth } = require('express-openid-connect');

// 👇 new code
const getManagementClient = require('../helpers/auth0ManagementClient');
// 👆 new code

//...existing code...
```

We will use the module later in the blog post. 

### Generate a Ticket for Customer Admin to Set Up an SSO Connection

When the customer admin clicks the 'Create' button, the application will create a POST request. Let's add the following code snippet to handle this:

```javascript
// routes/index.js

//...existing code...
router.get('/dashboard', requiresAuth() ,async function (req, res, next) {
//...existing code..
});

// 👇 new code
router.post('/dashboard', requiresAuth() , async function (req, res, next) {

  // get an instance of the ManagementClient
  const management = getManagementClient();

  // Get a list of Self Service Profiles 
  const ssProfilesResponse = await management.selfServiceProfiles.getAll();

  // Use the first profile
  const ssoProfile = ssProfilesResponse.data[0];
  
  // build options to generate a ticket for connection creation
  const requestParameters = {
    id: ssoProfile.id
  };

  // Generate connection name and set current Auth0 application as an enabled client
  let bodyParameters = {
      connection_config: {
        name: `self-service-sso-${Date.now()}` 
      },
      enabled_clients: [process.env.CLIENT_ID]
  };

  // generate a self sertvice sso ticket
  let ssoTicket = await management.selfServiceProfiles.createSsoTicket(
    requestParameters,
    bodyParameters
  );

  res.render('dashboard', {
    title: 'Admin Dashboard',
    ticketURL: ssoTicket.data.ticket
  });
});
// 👆 new code

//...existing code..
module.exports = router;
```

Let's see the details of the code.

#### Get an Instance Of The Management Client

In the first step, let’s get an instance of the management client, which provides access to the Management API on your Auth0 tenant. We can use the helper class we implemented to get an instance.

```javascript
//...existing code..

// get an instance of the ManagementClient
const management = getManagementClient();

//...existing code..
```

#### Get a Self-Service Profile

To generate a ticket, a Self-Service Profile must be specified. The following code snippet gets all profiles available in the tenant. To simplify the sample app, this blog post will use the first profile in the list.

```javascript
// Get a list of Self-Service Profiles with current 
const ssProfilesResponse = await management.selfServiceProfiles.getAll();

// Use the 1st profile in this sample
const ssoProfile = ssProfilesResponse.data[0];

//...existing code..
```

The `management.selfServiceProfiles.getAll()` method loads all self-service profiles available in the tenant. 

#### Building Parameters to Generate a Ticket

The `management.selfServiceProfiles.createSsoTicket()` method is to generate a self-service SSO ticket. This method requires `requestParameters` and `bodyParameters`. 

Let's take a look at the requestParameters first:

```javascript
//...existing code..

// build options to generate a ticket for connection creation
const requestParameters = {
    id: ssoProfile.id
};
//...existing code..
```

In `requestParameters`, you will set the id of a self-service profile as `id`.

Next, you can specify options for the ticket in `bodyParameters`:

```javascript
//...existing code..

// Generate connection name automatically and set current Auth0 application as an enabled client
const bodyParameters = {
    connection_config: {
      name: `self-service-sso-${Date.now()}` 
    },
    enabled_clients: [process.env.CLIENT_ID]
};
//...existing code..
```

When generating a ticket for a new connection flow, you must specify a `name` in `connection_config`. Alternatively, you can specify `connection_id` in the body parameter to update an existing connection. In this blog post, we will generate a name with the following snippet: `self-service-sso-${Date.now()}` to create a new connection.

Also, if you want to enable the connection for clients or organizations upon creation, you can set the `enabled_clients` or `enabled_organizations` properties. In this blog post, we specify the current Auth0 application as a client by setting `enabled_clients: [process.env.CLIENT_ID]`

#### Generate a ticket via Management API

After building the `requestParameters` and `bodyParameters`, you will call `management.selfServiceProfiles.createSsoTicket()` method to generate a ticket.

```javascript
//...existing code..

// generate a self sertvice sso ticket
const ssoTicket = await management.selfServiceProfiles.createSsoTicket(
  requestParameters,
  bodyParameters
)

res.render('dashboard', {
  title: 'Admin Dashboard',
  ticketURL: ssoTicket.data.ticket
});

//...existing code..
```

### Let's see it in action!

When you click the `Add SSO Connection button`, you will see the following page with another button that opens the URL of the generated ticket.

![App Admin Dashboard - SSO Configuration](https://images.ctfassets.net/23aumh6u8s0i/4TNFwvvcrEx6YI7bmcd8ac/0323330109afdf2f255d6483c94edb25/sso-dashboard-configure.png)

When you click the button, the browser opens a new tab with the SSO setup assistant page.

![SSO assistant](https://images.ctfassets.net/23aumh6u8s0i/28HqDkBJE9KhxS6zvvBWg5/d758a5cf6bd0d7b005091d4f6a40db09/sso-dashboard-ticket.png)

As we tried in the previous section, you can continue to set up an SSO connection by following the instructions.

Now, you have implemented a feature to generate a Self-Service SSO ticket for your application.

## Conclusion

In this post, you learned how to:

- Create a self-service SSO profile and generate a ticket with the Auth0 Management dashboard.
- Retrieve existing self-service SSO profiles and generate a self-service ticket to begin a Self-Service SSO flow from your application.

This blog post is just the beginning. With this powerful feature, you can create a Self-Service profile from your application, update an existing profile, customize the introduction page of the Self-Service SSO, integrate with the Auth0 Organization feature, and much more. Future posts will expand on this exciting new capability.

## Try with SaaStart: Next.js B2B SaaS Reference Application

Auth0 provides features for building a B2B SaaS application. In this post, I used Node.js/Express to showcase one of its features. If you are considering building a B2B SaaS in Next.js, try [SaaStart](https://a0.to/saastart). The app provides reference implementations of necessary features for B2B SaaS, such as multi-tenancy, login options for enterprise users, security policies, and more.

- [SaaStart App](https://a0.to/saastart)
- [GitHub](https://a0.to/saas-code)