# Auth0 (/docs/configuration/authentication/SAML/auth0)

## Step 1: Create a SAML Application in Auth0

1. Log in to your Auth0 Dashboard.
2. Navigate to `Applications > Applications`.
3. Click `Create Application`.
4. Enter an Application Name (e.g., `LibreChat`) and select `Regular Web Application`.
5. Click `Create`.

![auth0-1](/images/docs/configuration/authentication/SAML/auth0/1.png)


## Step 2: Configure the SAML Add-On

1. Open the newly created application in Auth0.
2. Go to the `Addons` tab.
3. Click the slider to enable the `SAML2 Web App`.
4. Click `SAML2 Web App` panel.
5. Configure the following settings:
   - **Application Callback URL**: Set this to your LibreChat SAML callback URL:
   `https://YOUR_DOMAIN/oauth/saml/callback`
   - **Settings (JSON Format)**: Use the following configuration:
        ```json
        {
            "mappings": {
                "email": "email",
                "name": "username"
            }
        }
        ```
        <Callout type="note" title="note">
        If your application requires additional attributes such as `given_name`,
        `family_name`, `username` or `picture`, ensure these mappings are properly
        configured in the Auth0 SAML settings.
        </Callout>
6. Click `Save`.


![auth0-2](/images/docs/configuration/authentication/SAML/auth0/2.png)
![auth0-3](/images/docs/configuration/authentication/SAML/auth0/3.png)

## Step 3: Obtain the Auth0 SAML Metadata

1. Once SAML is enabled, go back to the `SAML2 Web App` settings.
2. Go to the `Usage` tab.
3. Click on `Identity Provider Certificate: Download Atuh0 certificate`.
4. Use the `Issuer` to `SAML_ISSUER`
5. Use the `Identity Provider Login URL` to `SAML_ENTRY_POINT`.
6. Copy the donwloaded cert file to your project folder

![auth0-4](/images/docs/configuration/authentication/SAML/auth0/4a.png)

## Step 4: Configure LibreChat with SAML

Open the `.env` file in your project folder and add the following variables:

  ```bash filename=".env"
  SAML_ENTRY_POINT=https://dev-xxxxx.us.auth0.com/samlp/aaaaaa
  SAML_ISSUER=urn:dev-xxxxx.us.auth0.com
  SAML_CERT=dev-xxxxx.pem
  SAML_CALLBACK_URL=/oauth/saml/callback
  SAML_SESSION_SECRET=[JustGenerateARandomSessionSecret]

  # Attribute mappings (optional)
  SAML_EMAIL_CLAIM=
  SAML_USERNAME_CLAIM=
  SAML_GIVEN_NAME_CLAIM=
  SAML_FAMILY_NAME_CLAIM=
  SAML_PICTURE_CLAIM=
  SAML_NAME_CLAIM=

  # Logint buttion settings (optional)
  SAML_BUTTON_LABEL=
  SAML_IMAGE_URL=

  # Whether the SAML Response should be signed.
  # - If "true", the entire `SAML Response` will be signed.
  # - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
  # SAML_USE_AUTHN_RESPONSE_SIGNED=
  ```