Table of Contents 

What is the Beamery Auth0 user login migration?
How will Beamery change for my users after migrating?
Why are we making this change?
When do I need to migrate to Auth0?
How do I migrate to Auth0 with Azure / Entra ID?
How do I migrate to Auth0 with Okta?
How do I migrate to Auth0 with JumpCloud?
Does this technical change require contractual changes?
What information will Auth0 have access to?
Can I elect to remain on the existing login solution?
How does SSO work with Beamery and Auth0
Does this change impact our Beamery API integrations? 
Does this migration involve changing our SSO connection to OAuth instead of SAML
 

What is the Beamery Auth0 user login migration?

Beamery is migrating from our current proprietary user authentication solution to a new-and-improved solution powered by Auth0.

How will Beamery change for my users after migrating?

• For users who are already in the habit of logging into Beamery from the Beamery login page (e.g. for US customers, https://login.beamery.com/sso), there will be no significant change to the login flow.
• If your users currently log in with IdP-initiated login, e.g. via the Okta dashboard or Entra ID My Apps portal, there will now be an additional login step.
  • Our new auth provider disables IdP-initiated login by default as it carries a security risk. Please see the Auth0 documentation for more info. For instructions on how to simulate an IdP initiated login, please refer to Azure Setup and Okta Setup for step-by-step directions. 
• If your users log in via a bookmarked customer-specific SSO URL, e.g. https://api.beamery.com/sso/v1/assert/customer-name, there will now be an additional login step.
  • When the migration is complete, these links will be updated to route through the new authentication provider, however after migration, these links will no longer redirect directly to your Identity Provider. Instead users will be presented with the Beamery login page first, and will be routed to your Identity Provider after submitting their email address.
  • For a smoother login experience, please direct your users to manually create bookmarks to your custom login SP-initiated login URLs, that should have been provided to you (please reach out to support@beamery.com  if you believe you don’t have these), e.g. https://auth.beamery.com/auth/login?orgId=customer-name  
  • These link to a login page that provides a ‘Continue with SSO’ button, that links directly to your IdP for login.

Why are we making this change?

Auth0 is a leading identity platform that’s maintained by dedicated security experts. This allows us to offer even stronger, standards-based authentication that evolves in step with the latest security protocols and best practices.

This change is also a step towards us offering more features to enhance the security and ease-of-use for the product, e.g. multi-factor authentication, simplified user provisioning, and idle session timeout.

When do I need to migrate to Auth0?

Our previous SSO solution is officially deprecated as of 19th December. From this point on will no longer be providing customer support for these SSO connections, including rotation of SSO certificates. The connections will remain active, however, and there will be no disruption to user logins at this time.

We plan to disable our legacy SSO solution on the February 27th, 2026. We require all customers to have completed the migration to Auth0 before this time.

How do I migrate to Auth0 with Azure / Entra ID?

These steps can be followed by a member of your IT team.

1. Create new SSO connections
   • Your IT team will need to create a new SSO connection for each environment (sandbox and production), configured with our new service provider metadata, would you should have been provided (please reach out to support@beamery.com if you believe you don’t have this)
   • The new connections should be added alongside your existing ones to allow both authentication methods to run in parallel while testing. Once the migration is complete, the old connections can be deleted.
   • Please ensure that the new connection sets the NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. If your previous connection was configured to send a custom SSO user identifier, set the NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified instead (see What configuration is required if my Auth0 sends a custom SSO user identifier?). Contact support@beamery.com if you’re unsure which applies.

   • Please note that our new auth provider disables IdP-initiated login by default as it carries a security risk. Please see the Auth0 documentation for more info. To simulate an IdP-initiated login, ensure that the ‘Sign on URL’ is set to your custom login SP-initiated login URLs, that should have been provided to you (please reach out to support@beamery.com if you believe you don’t have these)
      

     Your connection config should look something like this:

     
     And your nameidentifier config claim should look something like this:

     

2. Provide us with IdP SSO certificates for the new connections

   Please send us the certificates for the new connections. We will configure these on our side and confirm when these are ready to test.

3. Test the new connections
   Once we have confirmed that the connections are ready to test, please ask somebody with an existing Beamery account to test a login using the new item in the My Apps portal
   Selecting the app should navigate the user to a Beamery login page with a ‘Continue with SSO’ button that links through to your IdP to complete the login.
   
4. Migrate users to the new connections via IdP config
   When you’re ready, replace all of your users’ access to the previous connections, with access to the new connections
5. Confirm migration complete
   Once you have performed this final step and all your users are using the new connections, please let us know.
   We will make an update on our side that will update all the previous login URLs to route through the new connection
6. Clean up the old connections
   When you’re confident that all users are logging in successfully with the new connections, please feel free to delete the old ones.

How do I migrate to Auth0 with Okta?

These steps can be followed by a member of your IT team.

1. Create new SSO connections

   • Your IT team will need to create a new SSO connection for each environment (sandbox and production), configured with our new service provider metadata, would you should have been provided (please reach out to support@beamery.com if you believe you don’t have this)
   • The new connections should be added alongside your existing ones to allow both authentication methods to run in parallel while testing. Once the migration is complete, the old connections can be deleted.
   • Please ensure that the new connection sets the NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. If your previous connection was configured to send a custom SSO user identifier, set the NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified instead (see What configuration is required if my Auth0 sends a custom SSO user identifier?). Contact support@beamery.com if you’re unsure which applies.
     
     Your connection config should look something like this:

    

2. Provide us with metadata for the new connections
   • Please send us the metadata link for the new connection. We will configure these on our side and confirm when these are ready to test.
3. Test the new connections
   • Once we have confirmed that the connections are ready to test, please ask somebody with an existing Beamery account to test a login using your custom login SP-initiated login URLs, that should have been provided to you (please reach out to support@beamery.com if you believe you don’t have these)
   • These links open a Beamery login page with a ‘Continue with SSO’ button that links through to your IdP to complete the login.
     
4. Create bookmark apps to these links
   • Our new auth provider disables IdP-initiated login by default as it carries a security risk. Please see the Auth0 documentation for more info.
   • To maintain your users’ existing workflow of logging in via your Identity Provider without enabling IdP-initiated SAML, we recommend that you create ‘bookmark’ apps that open our SP-initiated login URLs. For additional guidance on how to follow this pattern, please see Okta’s documentation: https://help.okta.com/en-us/content/topics/apps/apps_bookmark_app.htm
5. Migrate users to the new connections with Okta
   • When you’re ready, replace your users’ access to the previous connections, with access to these new bookmarks.
6. Confirm migration complete
   • Once you have performed this final step and all your users are using the new connections, please let us know.
   • We will make an update on our side that will update all the previous login URLs to route through the new connection.
7. Clean up the old connections
   • When you’re confident that all users are logging in successfully with the new connections, please feel free to delete the old ones.

How do I migrate to Auth0 with JumpCloud?

Please refer to How do I migrate to Auth0 with Okta for configuring JumpCloud, as this follows a similar pattern.

What configuration is required if my IdP sends a custom SSO user identifier?

• If your IdP sends a custom, non-email user identifier as the SAML NameID, you must set NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
• You must also include the user’s email address as a separate SAML attribute (for example, email).

Does this technical change require contractual changes?

Auth0 is already included on Beamery's Subprocessor List from 2024 therefore rolling out this new authentication solution will not involve any contractual changes or additional data privacy notifications.

What information will Auth0 have access to?

For customers using Single Sign-On (SSO), your organization remains the source of truth for user login details — we never see your password. For customers who log in directly using email and password, we use Auth0 to securely manage login credentials, with passwords encrypted and stored following industry best practices.

In both cases, Auth0 stores basic user profile information such as email address, login history, and each user’s Beamery role (e.g. Marking Admin, Sourcing Standard). This information is only ever used to support secure authentication and authorization within our platform.

Can I elect to remain on the existing login solution?

We’re moving all customers to our new login system powered by Auth0 to ensure consistent security standards and simplify ongoing support. Our plan is to fully retire the existing solution, so continuing with this won’t be possible. This change enables us to offer a more secure and reliable authentication experience across the board.

How does SSO work with Beamery and Auth0

Beamery will continue to support both service-provider and identity-provider initiated SAML login. For the sake of demonstration, the following sequence diagram demonstrates the process for a service-provider initiated login with Beamery’s new Auth0-powered authentication solution:

Does this migration involve changing our SSO connection to OAuth instead of SAML?

Auth0 is a third-party SaaS provider that Beamery now uses to manage authentication. It’s not the same as OAuth, which is an authentication standard. While Auth0 supports configuring SSO connections using OAuth, Beamery will continue using SAML for user SSO authentication for the time being. We do now support OAuth 2.0 for authenticating with our API, but this is specifically for API integrations. User SSO authentication will continue to use SAML.

Does this change impact our Beamery API integrations?

This migration only affects user logins, and integrations authenticating with basic auth will not be disrupted.

While we do now offer OAuth 2.0 authentication for our API, we don’t currently have plans to deprecate basic auth.

Please see our documentation on this if you’re interested in moving to OAuth for integration anyway to benefit from the security benefits that this brings: https://frontier.beamery.com/swagger-ui/#how-to-authenticate.