Create Non-Single Sign-On "Break Glass" Account Using the Same Email Address

Single Sign-On
Oct 24, 2025
Overview

This article clarifies the procedure for Public Cloud Tenants who use Security Assertion Markup Language (SAML) or Active Directory (AD) connections for Single Sign-On (SSO). The user requires a regular username and password account for emergency access (a "break glass" account) using the same email address as the one used for SSO. When the user attempts to accept the invitation, the system detects the email domain and redirects to the external Identity Provider (IdP).

 

The Break-Glass account is an email/password account that is used in case of emergencies (when no Tenant Member can authenticate using the IdP account). In the Auth0 context, this account is outside of the company domain, which will bypass Dashboard SSO and can be used to authenticate.

Applies To

  • Public Cloud Tenants

  • Single Sign-On (SSO)

  • Security Assertion Markup Language (SAML)

  • Active Directory (AD)

Solution

The following steps allow a new member to be created with a username and password from Settings > Tenant Members > Add Member:

  1. Invite the user (<user@sso.com>) from the Dashboard with the desired roles.

  2. The user must Open an incognito window.

  3. The user navigates to https://manage.auth0.com/login?connection=auth0.

  4. Select Sign up.

  5. The user enters the email address (<user@sso.com>).

  6. The user choses a password.

  7. The user is logged in, but the screen displays the Complete User Profiling that corresponds to SSO users. Ignore this screen and do not take any action.

  8. The user goes to the email and  copies the link of the invitation (e.g., https://manage.auth0.com/invite?token=...).

  9. The user pastses the link in the same incognito window/tab used to sign up.

  10. A different User Profiling screen appears. Accept and Continue.

If Home Realm Discovery (HRD) is enabled and the same email address still redirects to SSO, access is possible through the manage domain by specifying the connection in the parameters (same as step 3).

  • If Auth0 Teams is used  and Enforce SSO is enabled, the break-glass account cannot be used.

  • If Enforce SSO is not enabled, other accounts (such as email/password or other team-enabled authentication methods) can be used.

  • If Enforce SSO is enabled, only Single Sign-On (SSO) identities can be used.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community