> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Manage Self-Service Enterprise Configuration
> Use Self-Service Enterprise Configuration to let B2B customers configure their own SAML or OIDC Enterprise connection without granting them Auth0 Dashboard access.
Self-Service Enterprise Configuration provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers and requires minimal configuration in your Auth0 tenant to provide your customers with a self-service assistant to guide them through the enablement process.
After a customer completes their setup, the SSO integration is automatically added to your tenant as an [Enterprise connection](/docs/authenticate/enterprise-connections).
Users with the following Dashboard roles can engage with this feature:
* **Admin** and **Editor - Connections** users can create and manage self-service profiles.
* **Viewer - Config** users can view self-service profiles only.
To facilitate Self-Service Enterprise Configuration, you will configure the following components using either the Management API or the Auth0 Dashboard:
* **Self-service profile**: Defines key elements of customer SSO implementations, including the identity providers (IdPs) they can use and which user attributes they must capture, such as email. You can create up to 20 profiles in your tenant for different customers or segments.
* **Self-service access ticket**: Grants customer admins access to the [**self-service assistant**](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration#self-service-assistant-experience) and sets specific details for their resulting Enterprise connection. Access tickets allow customer admins to either create new or modify existing connections.
The sections below provide expanded steps for configuring self-service profiles and generating self-service access tickets to share with customer admins.
## Create self-service profiles
You can create self-service profiles using the Auth0 Dashboard or the Management API.
Self-service profiles are used to determine key elements of customer implementations, including:
* Which identity providers customer admins can use for SSO.
* Which user attributes they must capture through SSO, such as email or family name.
* Branding options that customize the look and feel of the self-service assistant.
You can create up to 20 profiles as needed to accommodate different customers or segments.
To create a self-service profile on the Auth0 Dashboard:
1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and open the **Self-Service Enterprise Configuration** section. Then, select **Create Profile**.
2. In the space provided, enter a name and optional description for the profile. Then, select **Create**.
A. **Optional** Attach a User Attribute Profile.
If you create and attach, or enable an existing User Attribute Profile, you will not have the option to add attributes via the User Profile tab.
1. Select an existing UAP or create a new one. For a new UAP:
a. Add a name.
b. Review mappings to ensure the profile attributes are mapping to your preferred Auth0 attributes.
3. On the **Settings** tab, complete the sections below. Then, select **Save**.
* **Identity Providers (IdP)**: Enable one or more identity providers. In the self-service assistant, customer admins can select their preferred option from the list of enabled providers.
* **Branding**: Provide a logo and primary color for the self-service assistant.
* **Custom Introduction**: Modify or replace the default message as needed. This introduction text displays to customer admins on the landing page of the self-service assistant. Your messaging can include basic formatting options, such as bolding or hyperlinks, and is limited to 2000 characters.
4. On the **User Profile** tab, add up to 20 user attributes that your customers should capture through SSO, such as email or family name. You can set each attribute as `required` or `optional`.
* During the self-service assistant flow, customer admins will be prompted to map these defined user attributes to their identity provider to ensure the necessary values are passed to Auth0.
To create a self-service profile, first call the Self-Service Profiles endpoint to create the profile. Then, use a PUT call to optionally modify its introduction text.
#### Create a self-service profile:
1. Make a POST call to the [Self-Service Profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/post-self-service-profiles) endpoint.
2. Specify the following parameters in the request body, as needed:
| Parameter | Required? | Description |
| ------------------------------- | ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `name` | Yes | String. Maximum length is 100.
A user-friendly name for the self-service profile. |
| `description` | No | String. Maximum length is 140.
A description of the self-service profile. |
| `allowed_strategies` | No | Array.
One or more identity providers that customer admins can use to implement SSO. If no parameters are selected, all are passed by default.
Options include:
- `okta` for Okta Workforce Identity
- `waad`for Entra ID
- `google-apps` for Google Workspace
- `keycloak-samlp` for Keycloak
- `adfs` for Microsoft Active Directory Federation Services
- `pingfederate` for PingFederate
- `oidc` for generic OIDC
- `samlp` for generic SAML
|
| `branding` | No | Object.
Used to customize the styling of the self-service assistant presented to customer admins. |
| `branding.logo_url` | No | String. Maximum length is 1024.
An HTTPS URL that points to a logo image. If provided, this logo displays to the top right of the self-service assistant. |
| `branding.colors` | No | Object.
Sets a primary color for certain elements of the self-service assistant, such as interactive buttons. |
| `branding.colors.primary` | Yes, when defining branding.colors. | String.
Specifies the hex value of the primary color used for the self-service assistant. |
| `user_attributes` | No | Object. Maximum length is 20.
Stores mapping information presented to customer admins during the self-service assistant flow. Customer admins are instructed to map these attributes to their identity provider to ensure the specified attributes are passed to Auth0. |
| `user_attributes[].name` | Yes, when defining user\_attributes. | String. Maximum length is 255.
Name of the user attribute in Auth0. |
| `user_attributes[].description` | Yes, when defining user attributes. | String. Maximum length is 255.
Human-readable description of the user attribute. |
| `user_attributes[].is_optional` | Yes, when defining user attributes. | Boolean.
Indicates whether an attribute is optional or required by the customer in order for the application to function.
- To set an attribute as required, use `true`.
- For optional attributes, use `false`.
|
| `user_attribute_profile_id` | No. | ID of the [User Attribute Profile](/docs/authenticate/enterprise-connections/user-attribute-profile) to associate with self-service accounts. |
**Example request body**
```json lines theme={null}
{
"name": "Example Profile",
"description": "An example profile for all customers",
"allowed_strategies": ["okta","adfs","google-apps"],
"user_attributes": [
{
"name": "email",
"description": "User's email",
"is_optional": false,
}
],
"branding": {
"logo_url": "https://example.com/logo.png",
"colors": {
"primary": "#334455"
}
}
}
```
#### Customize your introduction text
When a customer admin accesses the self-service assistant, they first land on an introduction page that welcomes them to the experience. By default, the following message is provided:
"You are a few simple steps away from setting up SSO. This setup process involves making some changes to your identity provider. Before you begin, open your identity provider in a separate browser tab or window."
You can modify this text by making a PUT call to the [Custom Text for Self-Service Profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/put-self-service-profile-custom-text) endpoint.
Be aware that this call **overwrites** any messaging currently set for the self-service profile. Ensure your call includes the complete text you wish to display to your customer admins.
1. Call `PUT /api/v2/self-service-profiles/{id}/custom-text/{language}/{page}`, where
* `id` is the profile ID of the self-service profile
* `language` is set to `en`
* `page` is set to `get-started`
2. In the request body, specify the following:
| Property | Description |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `introduction` | - String. Maximum length is 2000.
- Full introduction text to display on the landing page of the self-service assistant. Text can include basic formatting options, such as bolding or hyperlinks.
- Custom text provided through this parameter completely overwrites any previous messaging. For best results, ensure you provide the full message you wish to display to customer admins.
- Sending an empty body `\{}` resets any customized messaging to the default text.
|
3. In response, the created entity is returned.
**Example call**
```js lines theme={null}
PUT /api/v2/self-service-profiles/ssp_1234567890/custom-text/en/get-started
{
introduction: "Welcome! With only a few steps, you'll be able to setup your new connection. For assistance, contact our support team ."
}
```
**Example response**
```js lines theme={null}
{
introduction: "Welcome! With only a few steps, you'll be able to setup your new connection. For assistance, contact our support team ."
}
```
## Manage self-service access tickets
After creating at least one self-service profile, you can generate self-service access tickets using either the Auth0 Dashboard or the Management API.
Self-service access tickets serve two primary purposes:
* Granting customer admins access to the self-service assistant where they can configure a new SSO connection or modify an existing connection.
* Predefining key details and behaviors of new SSO connections your customer admins will configure, such as which applications or organizations will be enabled for the new connection.
When generating access tickets, you can also enable certain features such as SAML IdP-initated SSO, configure Identity Provider Domains (which drive Home Realm Discovery), and domain verification.
#### SAML IdP-initiated SSO
SAML IdP-initiated SSO is a style of implementation that allows identity providers to initiate SSO and redirect users to the service provider for authentication.
When enabling this option for Self-Service Enterprise Configuration, you must provide your default application and response protocol. You can also provide an optional query string to further customize the connection's behavior.
To learn more about these options, review [Configure SAML Identity Provider-Initiated Single Sign-On](/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on).
#### Email domain verification and pre-verified domains
Self-Service Enterprise Configuration supports three ways to associate email domains with an Enterprise connection. These methods populate the same field: `options.domain_aliases `, which drives Home Realm Discovery (HRD) and conditionally Organization Domains for discovery:
1. Pre-verified domains (tenant-managed): Tenant admin adds known domains directly to the connection.
2. Domains to be verified: The tenant admin specifies domains that the IT admin must verify
during setup. These domains are listed as pending on the organization and/or are not automatically associated with the connection until the IT admin completes verification.
3. Email Domain Verification (self-managed): Your customer's admin verifies the domain during setup in the self-service assistant.
These mechanisms to associate email domains apply to email domains used for HRD and SSO routing. They are not related to Custom Domain verification at the tenant level.
For a domain to populate with both Organization Domains for Discovery and HRD, the ticket must:
* Include only one `enabled_organization`
* Have either pre-verified domains or Email Verification Required as `Required` or `Optional`
* Enable the checkbox for **Allow the Use of Domains for Organization Discovery**
##### Pre-verified domain
Use pre-verified domain to associate email domains to an Enterprise connection at the tenant-level. Added domains are treated as trusted and are written directly to `options.domain_aliases`.
You can provide domains when [generating self-service access tickets](#generate-access-tickets-for-new-connections) through either the Auth0 Dashboard or the Management API.
* **Auth0 Dashboard**: On the **Generate Ticket** page, specify your list of domains with the **Pre-verified Domains** field.
* **Management API**: Set `connection_config.options.domain_aliases` to the list of domains. By default, `use_for_organization_discovery` is set to `true`. Optionally, select the **Allow the Use of Domains for Organization Discovery**.
Domains added by tenant admins are treated as **trusted** and **do not** require the customer admin to complete verification. If you want IT admins to verify a domain instead of the domain treated as **trusted**, set `domain_aliases_config.domain_verification` to `required` or `optional` to prompt verification from the self-service assistant. The **Allow Use of Domains for Organization Discovery** option requires exactly one `enabled_organization` in the ticket.
##### Domains to be verified
Use domains to be verified to specify domains the IT admins should verify during setup. Unlike pre-verified domains, pending domains are not automatically associated with the connection or Organization. IT admins must complete verification in the setup assistant before they take effect.
You can provide domains when [generating self-service access tickets](#generate-access-tickets-for-new-connections) through either the Auth0 Dashboard or the Management API:
* **Auth0 Dashboard**: On the **Generate Ticket** page, specify your list of domains with the **Domains to be Verified** field.
* **Management API**: Set `connection_config.options.domain_aliases` to the list of domains. By default, `use_for_organization_discovery` is set to `true`. Optionally, select the **Allow the Use of Domains for Organization Discovery**
The following limits apply:
* If Organization is associated with the ticket, the combined total of existing and pending Organization domains must not exceed 100.
* If no Organization or more than one Organization is associated with the ticket, the combined total of existing and pending domain aliases must not exceed 1,000.
If adding the pending domains would exceed either limit, ticket creation fails with an error.
##### Email domain verification
In contrast to pre-verified domains, email domain verification confirms an IT admin owns the domain they provide during self-service setup. When verification is complete, the verified domain is added to the same `options.domain_aliases` array on the connection.
You can enable verification for IT admins when you generate self-service access tickets:
* **Auth0 Dashboard**: On the **Generate Ticket** page, use the **Domain Verification Requirement** field. Optionally, select the **Allow the Use of Domains for Organization Discovery**.
* **Management API**: Use `domain_aliases_config.domain_verification` and optionally `use_for_organization_discovery ` with one of the following options:
* `none` (default) : The self-service assistant does not prompt a customer admin to verify their domain.
* `required`: The self-service assistant prompts the customer admin to verify their domains.
* `optional`: The self-service assistant prompts the customer admin to verify their domain. The customer admin can choose to either enter their domain for verification or skip the step.
The **Allow Use of Domains for Organization Discovery** options requires exactly **one** Organization in the Enabled Organizations field and Domain Verification set to `Optional` or `Required` or Pre-Verified Domain(s). Verification could take up to 48 hours in some cases, and you may need to issue a follow-up access ticket to let the customer admin return and enable the connection. Access tickets expire five hours after first being opened. Review [Generate access tickets for existing connections](https://auth0.com/docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config#generate-access-tickets-for-existing-connections).
##### Remove a domain
IT admins can remove verified domains from within the self-service assistant. The following rules apply based on the Domain Verification Requirement set on the ticket:
Optional: All verified domains can be removed.
Required: At least one verified domain must remain. A warning appears if the IT admin tries to remove the last verified domain.
### Generate access tickets for new connections
You can generate access tickets for new connections through either the Auth0 Dashboard or the Management API.
By default, access ticket URLs remain valid for five days after generation. After accessing the ticket URL, the customer admin has five hours to complete their setup. An access ticket URL can be accessed a maximum of 10 times; once this limit is reached, a new access ticket must be requested.
If needed, you can revoke an access ticket prior to its expiration to immediately cease access to the self-service assistant.
To generate an access ticket for a new connection through the Auth0 Dashboard:
1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and access the **Self-Service Enterprise Configuration** section. Then, select the self-service profile with which you want to create an access ticket.
2. Select **Generate Ticket** to open the ticket form. Under **Select ticket type**, choose **Create a new connection**.
3. Under **Ticket configuration**, provide a required name for the connection your customer admin will configure.
4. In the **Settings** section, configure additional options as needed for the new connection:
* **Domain**: Select the custom domain to be used in the ticket URL. Only available when multiple custom domains are present.
* **Display Name**: A user-friendly name for the connection that displays on Universal Login prompts.
* **Enabled Clients**: A comma-separated list of client IDs to associate with the connection.
* **Enabled Organizations**: A comma-separated list of organization IDs to associate with the connection.
* **Display connection a as button**: Displays the connection as an authentication option on the login screen.
* **Display connection as a button for organizations**: Displays the connection as an authentication option on the login screen for the specified organizations.
* **Assign membership on login for organizations**: Automatically grant organization membership to users who authenticate with the connection.
* **Enable as a domain level connection**: Allow 3rd-party applications to use the connection; requires [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
* **Accept SAML IdP-initiated SSO**: Enables [SAML Identity Provider-initiated SSO](/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on).
5. Under **Domain-Based Discovery**, optionally provide a comma-separated list of already verified or to be verified IdP domains to compare to users’ email domains. These domains are stored in `options.domain_aliases` and drive HRD. To learn more, read [Home Realm Discovery](#home-realm-discovery).
6. Under **Domain Verification Requirement**, choose your desired level of verification:
* **Off**: Customer admins are not prompted to verify their domain when setting up SSO. **Off** is the default setting for new access tickets.
* **Optional**: Customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
* **Required**: Customer admins must verify their domain when setting up SSO. They will not be able to enable their connection until verification is complete.
7. Under **Provisioning**, optionally enable **Sync users and group profiles using provisioning**. When enabled, additional configuration is available:
* **Bearer Token Expiration**: Define an expiration date for the SCIM bearer token. By default, bearer tokens do not expire.
* **Bearer Token Permissions (Scopes)**: Choose which actions the token can perform. By default, all provisioning scopes are enabled:
* `get:users`
* `post:users`
* `put:users`
* `patch:users`
* `delete:users`
* `get:groups`
* `post:groups`
* `put:groups`
* `patch:groups`
* `delete:groups`
8. Under **Time to Live**, set an expiration period for the access ticket in seconds. By default, time to live is set to 432000 seconds (which equals five days).
* Time to Live determines how long an access ticket URL is active **before** a customer admin launches the self-service assistant. It does not determine how long the customer admin has access to the assistant after it’s been launched. The expiration of the self-service assistant itself is 5 hours and cannot be configured.
9. Under **Metadata**, add up to 10 metadata associated with the connection.
10. Review your access ticket configuration for accuracy. Then, select **Create Ticket**.
A Ticket Information popup containing the access ticket URL then displays. Copy and save this URL somewhere safe, as you cannot retrieve this URL again after closing the popup.
You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration#self-service-assistant-experience).
To generate an access ticket through the Management API.
1. Retrieve the ID of the self-service profile you want to associate with the access ticket through the [Retrieve Self-Service Profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profiles) endpoint.
2. Call the [SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) endpoint using the ID of the appropriate self-service profile:
`POST /api/v2/self-service-profiles/{id}/sso-ticket`
Use the `auth0-custom-domain` header to set the custom domain to be used in the ticket URL. This is only available when the Multiple Custom Domains feature is enabled.
In the request body, specify the parameters described in the table below.
| Parameter | Description |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `connection_config` | Object.
Required when generating an access ticket for **a new SSO connection**. Customer admins will be able to modify key elements of the connection, such as the SAML certificate or OIDC ID or secret. |
| `connection_config.name` | **Required**. String.
Name for the connection created through the SSO setup assistant. Maximum length is 128. |
| `connection_config.display_name` | **Optional**. String.
User-friendly name for the new connection created through the self-service assistant. This name displays on Universal Login prompts. Maximum length is 128. |
| `connection_config.is_domain_connection` | **Optional**. Boolean.
Set to `true` if the connection is at the domain level; requires [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration). |
| `connection_config.show_as_button` | **Optional**. Boolean.
When `true`, the connection displays as an authentication option on your application's login screen. |
| `connection_config.metadata` | **Optional**. Object\[].
Metadata associated with the new connection.
Object can contain up to 10 key-value pairs. String values limited to 255 characters. |
| `connection_config.options` | **Optional**. Object\[].
Options for the new connection, including:- `icon_url`
- `domain_aliases[]`
- `idpinitiated`
|
| `connection_config.options.icon_url` | **Optional**. String.
URL of the icon image to use if `connection_config.show_as_button` is enabled. Must use HTTPS. |
| `connection_config.options.domain_aliases` | **Optional**. String\[].
Domains to use for home realm discovery.
Domains entered into `domain_aliases` are automatically marked as verified. To have a customer admin verify a domain themselves, do not specify this attribute and instead use `domain_aliases_config` (described further on in this table). This option allows you to prompt the customer admin to verify their domain through the self-service assistant. |
| `connection_config.options.idpinitiated` | **Optional**. Object.
Allows [SAML IdP-initiated SSO](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration/manage-self-service-enterprise-config#saml-idp-initiated-sso) and includes the following attributes:
- `enabled`
- `client_id`
- `client_protocol`
- `client_authorizequery`
For full details, review the [SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) endpoint in the Management API Explorer. |
| `domain_aliases_config` | **Optional**. Object.
Contains `domain_verification` and `pending_domains` properties for configuring domain verification behavior. |
| `domain_aliases_config.domain_verification` | **Optional**. String.
Determines whether domain verification is required, optional, or disabled.
Options include:- `none`: Disables domain verification. You can also disable domain verification by leaving the `domain_aliases_config` object out of your request.
- `optional`: Allows customer admins to skip domain verification during setup.
- `required`: Requires customer admins to verify their domain during setup.
|
| `domain_aliases_config.pending_domains` | **Optional**. String\[].
Domains to be verified by the IT admin during setup. Unlike pre-verified domains, these domains are listed as pending on the organization and are not automatically associated with the connection — the IT admin must complete verification in the self-service assistant before they take effect.
`domain_aliases_config.domain_verification` must be set to `optional` or `required` to use this parameter.
Quotas apply:
- If one organization is associated with the ticket, the combined total of existing and pending organization domains must not exceed 100.
- If no organization or more than one organization is associated with the ticket, the combined total of existing and pending domain aliases must not exceed 1,000.
|
| `enabled_organizations` | **Optional**. Object\[].
A list of organizations to associate with the new connection. |
| `enabled_organizations[].organization_id` | **Required** when using `enabled_organizations`.
String.
ID of a specific organization to associate with the new connection.
You can retrieve IDs through the Organizations section of the [Auth0 Dashboard](https://manage.auth0.com/#/organizations), the [Get Organizations](https://auth0.com/docs/api/management/v2/organizations/get-organizations) endpoint, or the [Get Organization by Name](https://auth0.com/docs/api/management/v2/organizations/get-name-by-name) endpoint. |
| `enabled_organizations[].assign_membership_on_login` | **Optional**. Boolean.
When `true`, users who log in with the new connection are automatically granted membership to the specified organization. |
| `enabled_organizations[].show_as_button` | **Optional**. Boolean.
When `true`, the new connection displays as an authentication option on the Organization login screen for your application. |
| `provisioning_config` | **Optional.** Object.
Determines whether or not customer admin is able to set up SCIM. If the connection is created without all user provisioning scopes (`get:users`,`post:users`,`put:users`, `patch:users`,`delete:users`), SCIM will not be enabled. Group scopes are optional. Use [`google_workspace`](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) to configure [Google Workspace Directory Sync](/docs/authenticate/identity-providers/enterprise-identity-providers/google-directory-sync). |
| `ttl_sec` | **Optional**. Number.
Number of seconds an access ticket URL remains active before a customer admin launches the self-service assistant. If unspecified or set to 0, the value defaults to `432000` (the maximum amount of 5 days).
Note that this expiration period does not determine how long a customer admin has access to the self-service after it’s been launched. The expiration of the assistant itself is 5 hours and cannot be configured. |
| `use_for_organization_discovery` | **Optional**. Boolean.
Indicates whether a verified domain should be used for organization discovery during authentication. |
**Example request body**
```json lines expandable theme={null}
{
"connection_config":{
"name":"string",
"display_name":"string",
"is_domain_connection":true,
"show_as_button":true,
"metadata":{
"key1":"value1",
"key2":"value2"
},
"options":{
"icon_url":"string",
"domain_aliases":[
"acme.corp",
"okta.com"
],
"idpinitiated": {
"enabled": true,
"client_id": "string",
"client_protocol": "string",
"client_authorizequery": "string"
}
}
},
"enabled_organizations":[
{
"organization_id":"string",
"assign_membership_on_login":true,
"show_as_button":true
}
],
"ttl_sec":0,
"domain_aliases_config": {
"domain_verification": "string"
"pending_domains": [
"acme2.com"
]
}
}
```
In response, you receive a URL to the self-service access ticket:
```json lines theme={null}
{
"ticket": "https://{domain}/self-service/connections-flow?ticket={id}"
}
```
After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration#self-service-assistant-experience).
You can wrap access ticket generation in your own self-service portal or send ticket URLs directly to customer admins through email, chat, or other communication channels.
### Generate access tickets for existing connections
You can generate access tickets for existing connections through either the Auth0 Dashboard or the Management API.
By default, access ticket URLs remain valid for five days after generation. After accessing the ticket URL, the customer admin has five hours to complete their setup. An access ticket URL can be accessed a maximum of 10 times; once this limit is reached, a new access ticket must be requested.
If needed, you can revoke an access ticket prior to its expiration to immediately cease access to the self-service assistant.
If a customer admin initiates **domain verification** through the self-service assistant, they may require an additional access ticket to complete the setup process.
Domain verification occurs as the final step of the self-service assistant. At this point in the workflow, the connection has been created but not enabled. If domain verification is required, the customer admin cannot enable their connection until verification is complete.
While verification typically occurs in a timely manner, it may take 24-48 hours in some cases. If this occurs, the customer admin will not be able to use their original access ticket to enable their connection, as tickets expire five hours after they are first accessed.
To complete this process, you can generate an access ticket that allows the customer admin to modify the connection they configured with their initial ticket. When creating this ticket, ensure you specify the Connection ID of the connection they configured with their first access ticket.
To edit an access ticket through the Auth0 Dashboard:
1. Navigate to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and access the Self-Service Enterprise Configuration section. Then, select the self-service profile with which you want to create an access ticket.
2. Select **Generate Ticket** to open the ticket form. Under **Select ticket type**, choose **Edit an existing connection**.
3. Under **Ticket configuration**, provide the ID of the existing connection you want the customer admin to modify.
4. Select **Next**.
5. Under **Enabled features**, choose which flows the IT admin can access. All options are enabled by default.
* **Edit SSO connection**: Allows the IT admin to modify the SSO connection. Disable this option to give the IT admin access only to provisioning or domain configuration, without the ability to edit the connection.
* **Provisioning**: Allows the IT admin to configure provisioning.
* **Domain configuration**: Allows the IT admin to verify or manage domains.
6. Under **Domain Verification**, choose your desired level of verification:
* **Off**: Customer admins are not prompted to verify their domain when setting up SSO. This option is selected by default for new access tickets.
* **Optional**: Customer admins are prompted to verify their domain when setting up SSO. However, they can skip this step and enable their connection without completing verification.
* **Required**: Customer admins must verify their domain when setting up SSO. They will not be able to enable their connection until verification is complete.
7. Under **Provisioning**, optionally enable **Sync users and group profiles using provisioning**. When enabled, additional configuration is available:
* **Bearer Token Expiration**: Define an expiration date for the SCIM bearer token. By default, bearer tokens do not expire.
* **Bearer Token Permissions (Scopes)**: Choose which actions the token can perform. By default, all provisioning scopes are enabled:
* `get:users`
* `post:users`
* `put:users`
* `patch:users`
* `delete:users`
* `get:groups`
* `post:groups`
* `put:groups`
* `patch:groups`
* `delete:groups`
8. Under **Time to Live**, set an expiration period for the access ticket in seconds. By default, time to live is set to 432000 seconds (which equals five days).
A. Time to Live determines how long an access ticket URL is active **before** a customer admin launches the self-service assistant. It does not determine how long the customer admin has access to the assistant after it’s been launched. The expiration of the self-service assistant itself is five hours and cannot be configured.
9. Review your access ticket configuration for accuracy. Then, select **Create Ticket**.
A Ticket Information popup containing the access ticket URL then displays. Copy and save this URL somewhere safe as you cannot retrieve this URL again after closing the popup.
You can share the access ticket URL with your customer admin through email, chat, or another communication channel to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration#self-service-assistant-experience).
To generate an access ticket through the Management API, follow the steps below.
You cannot update `connection_config` details for an existing connection through the [SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) endpoint. If you need to modify this information for an existing connection, use the [Update a Connection](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) endpoint instead.
1. Retrieve the ID of the self-service profile you want to associate with the access ticket through the [Retrieve Self-Service Profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profiles) endpoint.
2. Call the [SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) endpoint using the ID of the appropriate self-service profile:
`POST /api/v2/self-service-profiles/{id}/sso-ticket`
In the request body, specify the following parameters:
| Parameter | Description |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `connection_id` | **Required**. String.
ID of the connection a customer admin can update through the self-service assistant. Customer admins can modify key elements of the connection, such as the SAML certificate or OIDC ID and secret.
Connection IDs can be retrieved through the Authentication section of the [Auth0 Dashboard](https://manage.auth0.com/#/connections/enterprise) or the [Get All Connections](https://auth0.com/docs/api/management/v2/connections/get-connections) endpoint.\*\* |
| `domain_aliases_config.pending_domains` | **Optional**. String\[].
Domains to be verified by the IT admin during setup. These domains are listed as pending on the organization and are not automatically associated with the connection — the IT admin must complete verification in the self-service assistant before they take effect.
`domain_aliases_config.domain_verification` must be set to `optional` or `required` to use this parameter.
Quotas apply:
- If one organization is associated with the ticket, the combined total of existing and pending organization domains must not exceed 100.
- If no organization or more than one organization is associated with the ticket, the combined total of existing and pending domain aliases must not exceed 1,000.
|
| `enabled_features` | **Optional**. Object.
Controls which flows the IT admin can access. Only supported for edit-connection tickets.
If omitted, active features are determined based on the presence of other configuration properties in the request (existing behavior is preserved). If included, the object must contain at least one property not explicitly set default to `false` and cannot be null or empty.
If `enabled_features.provisioning` is `true`, `provisioning_config` is required in the request body. |
| `enabled_features.sso` | **Optional**. Boolean.
When `true`, the IT admin can edit the SSO connection. Set to `false` to allow access only to provisioning or domain verification flows, without the ability to modify the connection. |
| `enabled_features.provisioning` | **Optional**. Boolean.
When `true`, the IT admin can configure provisioning. Requires `provisioning_config` in the request body. |
| `enabled_features.domain_verification` | **Optional**. Boolean.
When `true`, the IT admin can verify or manage domains. |
| `provisioning_config` | **Optional.** Object.
Determines whether or not customer admin is able to set up SCIM. If the connection is created without all user provisioning scopes (`get:users`,`post:users`,`put:users`, `patch:users`,`delete:users`), SCIM will not be enabled. Group scopes are optional. Use [`google_workspace`](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket) to configure [Google Workspace Directory Sync](/docs/authenticate/identity-providers/enterprise-identity-providers/google-directory-sync). |
| `ttl_sec` | **Optional**. Number.
Number of seconds an access ticket URL remains active before a customer admin launches the self-service assistant. If unspecified or set to `0`, the value defaults to `432000` (which equals 5 days).
Note that this expiration period does not determine how long a customer admin has access to the self-service assistant after it's been launched. The expiration of the assistant itself is five hours and cannot be configured. |
| `domain_aliases_config` | **Optional**. Object.
Contains domain\_verification which is used to determine whether domain verification is required, optional, or disabled.
Options for domain\_verification include:
- `none`: Disables domain verification. You can also disable domain verification by leaving the `domain_aliases_config` object out of your request.
- `optional`: Allows customer admins to skip domain verification during setup.
- `required`: Requires customer admins to verify their domain during setup.
|
| `use_for_organization_discovery` | **Optional**. Boolean.
Indicates whether a verified domain should be used for organization discovery during authentication. |
**Example request body**
```json lines theme={null}
{
"connection_id": "string",
"ttl_sec":0,
"domain_aliases_config": {
"domain_verification": "string"
"pending_domains": [
"acme.com"
]
}
}
```
In response, you receive a URL to the self-service access ticket:
```json lines theme={null}
{
"ticket": "https://{domain}/self-service/connections-flow?ticket={id}"
}
```
After you receive the ticket URL, share the link with your customer admin to grant them access to the self-service assistant. The assistant will then guide them through configuring the SSO connection. To learn more about that experience, review [Self-service assistant experience](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration#self-service-assistant-experience).
You can wrap access ticket generation in your own self-service portal or send ticket URLs directly to customer admins through email, chat, or other communication channels.
### Revoke an access ticket
By default, an access ticket URL remains valid for five days. Upon accessing the URL, a customer admin has five hours to complete their setup.
If needed, you can revoke an access ticket prior to its expiration. For example, if an access ticket is shared with the wrong audience, you can revoke the ticket to prevent unauthorized access to the self-service assistant.
When you revoke an access ticket, its URL immediately becomes invalid, and any associated sessions are terminated. Customer admins with the URL will no longer be able to access the self-service assistant. You can then generate and share new access tickets as needed.
To revoke an access ticket:
1. Retrieve the ID of the self-service profile associated with the access ticket using the [Retrieve Self-Service Profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profiles) endpoint.
2. Locate the ID of the access ticket you wish to revoke. IDs can be found at the end of the access ticket URL.
3. Call the [Revoke SSO Access Ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-revoke) endpoint using the appropriate IDs:
`POST /api/v2/self-service-profiles/{id}/sso-ticket/{id}/revoke`
In response, a `202 Accepted` is returned.
## References
### APIs
To manage Self-Service Enterprise Configuration, the following [Management API](https://auth0.com/docs/api/management/v2) endpoints are available:
* [Get self-service profiles](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profiles)
* [Create a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/post-self-service-profiles)
* [Get a self-service profile by ID](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profiles-by-id)
* [Delete a self-service profile by ID](https://auth0.com/docs/api/management/v2/self-service-profiles/delete-self-service-profiles-by-id)
* [Update a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/patch-self-service-profiles-by-id)
* [Get custom text for a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/get-self-service-profile-custom-text)
* [Set custom text for a self-service profile](https://auth0.com/docs/api/management/v2/self-service-profiles/put-self-service-profile-custom-text)
* [Create an access ticket to initiate the self-service enterprise configuration flow](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket)
* [Revoke a self-service access ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-revoke)
### Rate limits
When using Self-Service Enterprise Configuration, the following rate limits apply:
| Description | Endpoint | Limits |
| ---------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Manage SSO profiles | `/api/v2/self-service-profiles` | Review the [Management API rate limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations) for your subscription type. |
| Create an access ticket | `/api/v2/self-service-profiles/{id}/sso-ticket` | Review the [Management API rate limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations) for your subscription type. |
| Consume an access ticket | `/self-service/connection-flows?ticket={id}` | 6 / min / IP |
| Load the webapp (including setup assistant) and webapp endpoints | `/self-service/*` | 50 / min / IP
90 / min / tenant |