This article provides instructions on how to configure one Auth0 tenant as an OpenID Connect (OIDC) Identity Provider (IdP) for another Auth0 tenant acting as the Service Provider (SP). This allows for authentication between the two tenants without using the Security Assertion Markup Language (SAML) protocol.

• OpenID Connect (OIDC)

To configure the connection, two main sets of steps are required: configuring the IdP tenant and then configuring the SP tenant. The solution can use either the Front channel or Back channel method. The Front channel uses an OIDC protocol with response_mode=form_post and response_type=id_token, while the Back channel uses response_type=code. The Back channel is the most common implementation.

Identity Provider (IdP) Tenant Configuration

1. In the IdP tenant, create a standard web application.
2. If using the Front channel method, set the application's Token Endpoint Authentication Method to None.
3. Add the SP's /login/callback URL (e.g., https://example-sp.us.auth0.com/login/callback) to the application's Allowed Callback URLs field.
4. Select the Save button.

Service Provider (SP) Tenant Configuration

1. Navigate to Connections > Enterprise and create a new OIDC connection.
2. Set the Issuer URL to the IdP's .well-known/configuration endpoint (e.g., https://example-idp.us.auth0.com/.well-known/configuration).
3. Set the Client ID to the client ID of the application created in the IdP tenant.
4. If using the Back channel method, set the Type to Back channel and set the Client Secret to the client secret from the application created in the IdP tenant.
5. Select the Save button.