Skip to main content

Prerequisites

  • An Auth0 account with admin access to create applications
  • Bifrost Enterprise deployed and accessible
  • Your Bifrost callback URL: https://<your-bifrost-domain>/login
  • Bifrost roles created for the roles you plan to map

Step 1: Create a regular web application

1

Open the Auth0 dashboard

Sign in to manage.auth0.com.In the left navigation, go to Applications → Applications and click Create Application.
Auth0 Applications page with Create Application button highlighted
2

Choose the application type

Give the app a name - e.g. Bifrost OIDC.Select Regular Web Application and click Create.
3

Open the Settings tab

After creating the app, go to the Settings tab. You will see your app’s Domain, Client ID, and Client Secret at the top - keep this tab open as you will need these values later.
Auth0 Bifrost OIDC application Settings tab showing the Basic Information section with Domain, Client ID, and Client Secret
4

Configure callback URLs

Still on the Settings tab, scroll down to Application URIs and add your login callback to Allowed Callback URLs:
https://<your-bifrost-domain>/login
Optionally, to use the Discover Claims feature during Bifrost setup, also add:
https://<your-bifrost-domain>/workspace/scim/oauth-discover-callback
Discover Claims opens a one-time sign-in popup during configuration so Bifrost can inspect the exact JWT your Auth0 tenant sends - useful for verifying the roles claim is present before you build your attribute mappings. You can skip it and add the URL later if needed.
Auth0 application Settings showing Allowed Callback URLs with the Bifrost login and SCIM discovery endpoints
Scroll down and click Save Changes.
5

Copy your credentials

Scroll back up to the top of the Settings tab and copy:
  • Domain - e.g. your-tenant.us.auth0.com
  • Client ID
  • Client Secret (click to reveal)
Auth0 Bifrost OIDC application Settings tab showing Domain, Client ID, and Client Secret fields

Step 2: Add custom claims to the token

Auth0 does not include roles or group memberships in the ID token by default. Use a Post Login Action to inject any attributes you want to map in Bifrost. In Actions → Triggers → post-login, create a custom action and add the claims you need. For example, to expose Auth0 roles: 
exports.onExecutePostLogin = async (event, api) => {
  const roles = event.authorization?.roles ?? [];
  api.idToken.setCustomClaim('roles', roles);
  api.accessToken.setCustomClaim('roles', roles);
};
Auth0 action code editor showing the roles claims in token action
You can add any other user metadata the same way — event.user.department, event.user.app_metadata.team, etc. Any claim you set here will be available in Bifrost’s Attribute Mapping step.
Using a plain claim name (e.g. roles) keeps the mapping simple. If your org policy requires a URL-namespaced claim (e.g. https://your-domain.com/roles), use the full namespaced string as the claim name in Bifrost’s attribute mappings.

Step 3: Create a Machine-to-Machine app for bulk sync (optional)

This step is only required if you want Bifrost to import users in bulk and sync them in the background every 24 hours. If you only need SSO login, skip this step.
1

Create a Machine-to-Machine application

Go to Applications → Applications and click Create Application.Give it a name - e.g. Bifrost Bulk Sync - and select Machine to Machine Application.Click Create.
2

Authorize the Management API

On the next screen, select the Auth0 Management API and grant the following scopes:
  • read:users
  • read:user_idp_tokens
  • read:roles
  • read:role_members
Click Authorize.
3

Copy the M2M credentials

Open the Settings tab of your Bifrost Bulk Sync app and copy:
  • Client ID
  • Client Secret
Auth0 Bifrost Bulk Sync Machine to Machine application Settings tab showing Client ID and Client Secret

Step 4: Configure Bifrost

1

Open User Provisioning and choose Auth0

In your Bifrost dashboard, go to GovernanceUser Provisioning.Select Auth0 as the identity provider and click Next.
Bifrost Choose Provider screen with Auth0 highlighted
2

Fill in the provider configuration

Enter the credentials you collected in Steps 1 and 3:
FieldValue
DomainYour Auth0 domain, e.g. your-tenant.us.auth0.com
Client IDFrom the Bifrost OIDC app Settings tab
Client SecretFrom the Bifrost OIDC app Settings tab
M2M Client IDFrom the Bifrost Bulk Sync app (optional)
M2M Client SecretFrom the Bifrost Bulk Sync app (optional)
Click Verify & Next to confirm the connection.
3

Discover claims

On the Attribute Mapping screen, click Discover Claims.Bifrost opens a sign-in popup - no session is created. Once you authenticate, it returns the exact claims your Auth0 tenant is sending in the JWT.Confirm that the roles claim is present and contains the expected values before building your mappings.
Bifrost Discover Claims screen showing all claims returned by Auth0 including email, roles, and standard OIDC fields
4

Set up attribute mappings

Use the sections below the claim list to map Auth0 claim values to Bifrost roles, teams, and business units.Attribute-to-Role MappingsMap a claim value to a Bifrost role.
  • All matching rules are evaluated - if multiple rules match, the role with the highest permissions is assigned
  • If no rule matches, the user is not assigned a role and login is denied
Attribute-to-Team MappingsMap a claim value to a Bifrost team. All matching rules apply.
  • Use a specific value (e.g. engineering) to map that exact claim value to a named Bifrost team
  • Use * as the value to sync the claim value directly as the team name
  • Use ${*} to extract part of the string - e.g. Bifrost Playground: ${*} Team matches Bifrost Playground: Alpha Team and creates team Alpha
Attribute-to-Business Unit MappingsSame wildcard support as team mappings.
  • Use a specific value (e.g. platform) to map that exact claim value to a named Bifrost business unit
  • Use ${*} to extract a substring as the business unit name - e.g. Bifrost Playground: ${*} BU matches Bifrost Playground: Alpha BU and creates business unit Alpha
  • When a rule matches, the resolved business unit is assigned to all of that user’s teams
  • Manually assigned teams are left unchanged
Bifrost Attribute Mapping screen showing role mappings (roles = Engineering → Admin, roles = Marketing → Viewer) and team mapping with wildcard
Click Next when done.
5

Review and enable

Review your full configuration on the final screen - connection details, attribute mappings, and SCIM provisioning status - then click Save & Enable.
Bifrost Review and Enable screen showing Auth0 domain, Client ID, and attribute mappings summary
Restart your Bifrost server after enabling for the changes to take effect.

Troubleshooting

User is not redirected to Auth0 - verify the provider is enabled in Bifrost and the server was restarted after saving. Confirm the Auth0 Domain has no trailing slash in the Bifrost config. Callback URL mismatch - the redirect URI in Bifrost must exactly match one of the Allowed Callback URLs in Auth0. Check for protocol, trailing slash, and path differences. roles claim not appearing in Discover Claims - confirm the Post Login Action is deployed (not just saved as draft) and is connected to the Login flow. Open the Action editor and click Deploy if the status shows Draft. Roles not assigned after login - confirm the user has an Auth0 role assigned under User Management → Users → Roles tab. Only roles from Auth0’s built-in role system are populated by the action code above - custom claims from other sources need a modified action. invalid_token or audience mismatch - leave the Audience field blank in Bifrost, or set it to match the aud claim in the JWT (typically the Auth0 Client ID).