LibreChat
ConfigurationAuthenticationSAML

Auth0

Learn how to configure LibreChat to use Auth0 for user authentication.

Step 1: Create a SAML Application in Auth0

  1. Log in to your Auth0 Dashboard.
  2. Navigate to Applications > Applications.
  3. Click Create Application.
  4. Enter an Application Name (e.g., LibreChat) and select Regular Web Application.
  5. Click Create.

auth0-1

Step 2: Configure the SAML Add-On

  1. Open the newly created application in Auth0.
  2. Go to the Addons tab.
  3. Click the slider to enable the SAML2 Web App.
  4. Click SAML2 Web App panel.
  5. Configure the following settings:
    • Application Callback URL: Set this to your LibreChat SAML callback URL: https://YOUR_DOMAIN/oauth/saml/callback
    • Settings (JSON Format): Use the following configuration: 
      {
    "mappings": {
        "email": "email",
        "name": "username"
    }
}

      note

      If your application requires additional attributes such as given_name, family_name, username or picture, ensure these mappings are properly configured in the Auth0 SAML settings.

  6. Click Save.

auth0-2 auth0-3

Step 3: Obtain the Auth0 SAML Metadata

  1. Once SAML is enabled, go back to the SAML2 Web App settings.
  2. Go to the Usage tab.
  3. Click on Identity Provider Certificate: Download Atuh0 certificate.
  4. Use the Issuer to SAML_ISSUER
  5. Use the Identity Provider Login URL to SAML_ENTRY_POINT.
  6. Copy the donwloaded cert file to your project folder

auth0-4

Step 4: Configure LibreChat with SAML

Open the .env file in your project folder and add the following variables:

SAML_ENTRY_POINT=https://dev-xxxxx.us.auth0.com/samlp/aaaaaa
SAML_ISSUER=urn:dev-xxxxx.us.auth0.com
SAML_CERT=dev-xxxxx.pem
SAML_CALLBACK_URL=/oauth/saml/callback
SAML_SESSION_SECRET=[JustGenerateARandomSessionSecret]
 
# Attribute mappings (optional)
SAML_EMAIL_CLAIM=
SAML_USERNAME_CLAIM=
SAML_GIVEN_NAME_CLAIM=
SAML_FAMILY_NAME_CLAIM=
SAML_PICTURE_CLAIM=
SAML_NAME_CLAIM=
 
# Logint buttion settings (optional)
SAML_BUTTON_LABEL=
SAML_IMAGE_URL=
 
# Whether the SAML Response should be signed.
# - If "true", the entire `SAML Response` will be signed.
# - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
# SAML_USE_AUTHN_RESPONSE_SIGNED=

How is this guide?

Edit on GitHub

Previous

Overview

Next

AI Setup

On this page