search
  1. Beamery
  2. Integrations
  3. Single Sign On (SSO)
Auth0 User Login Migration FAQ

Last Updated:

Table of Contents 

What is the Beamery Auth0 user login migration?
How will Beamery change for my users after migrating?
Should we update our login bookmarks?
Why are we making this change?
When do I need to migrate to Auth0?
How do I migrate to Auth0 with Azure / Entra ID?
How do I migrate to Auth0 with Okta?
How do I migrate to Auth0 with JumpCloud?
What configuration is required if my IdP sends a custom SSO user identifier?
Does this technical change require contractual changes?
What information will Auth0 have access to?
Can I elect to remain on the existing login solution?
How does SSO work with Beamery and Auth0
Does this change impact our Beamery API integrations? 
Does this migration involve changing our SSO connection to OAuth instead of SAML
 

What is the Beamery Auth0 user login migration?

Beamery is migrating from our current proprietary user authentication solution to a new-and-improved solution powered by Auth0.

How will Beamery change for my users after migrating?

Users can log into Beamery through one of a few journeys, and depending on which journey your users habitually log in with, they may experience changes to the login experience.

  • Your users may be logging in via the Beamery login page (e.g. for US customers, https://login.beamery.com/sso)

    • There will be no significant change to this login flow.

  • Your users may be logging in via a legacy customer-specific SSO URL, e.g. https://api.beamery.com/sso/v1/assert/customer-name

  • Your users might be performing an ‘IdP-initiated login’, e.g. by clicking a tile in the Okta dashboard or Entra ID My Apps portal

    • In order to preserve this login journey, some configurationsteps may be required. 

    • Please refer to Azure Setup and Okta Setup for step-by-step directions. 

For the smoothest login experience, please distribute your new login URL. This will be provided to you. This URL will redirect seamlessly to your own SSO login page.

Should we update our login bookmarks?

Yes, we recommend that you update login bookmarks and distribute the new URL to your users.

Existing login URLs will continue to work post-migration by routing traffic through our new connection. This includes legacy customer-specific URLs, e.g. https://api.beamery.com/sso/v1/assert/customer-name. While these links remain active, users using this flow will now have to enter their email address before being redirected to your SSO login page.

For the smoothest login experience, it is recommended to distribute your new login URL, which will be provided to you. This URL will redirect seamlessly to your own SSO login page.

Why are we making this change?

Auth0 is a leading identity platform that’s maintained by dedicated security experts. This allows us to offer even stronger, standards-based authentication that evolves in step with the latest security protocols and best practices.

This change is also a step towards us offering more features to enhance the security and ease-of-use for the product, e.g. multi-factor authentication, simplified user provisioning, and idle session timeout.

How do I migrate to Auth0 with Azure / Entra ID?

These steps can be followed by a member of your IT team.

  1. Create new SSO connections
    • Your IT team will need to create a new SSO connection for each environment (sandbox and production), configured with our new service provider metadata, would you should have been provided (please reach out to support@beamery.com if you believe you don’t have this)
    • The new connections should be added alongside your existing ones to allow both authentication methods to run in parallel while testing. Once the migration is complete, the old connections can be deleted.
    • For most customers, the SAML NameID value should be the user’s email address. If your IdP uses a custom SSO user identifier (i.e. the NameID is not the user’s email address), the user’s email must be provided as a separate SAML attribute named ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’.

    • Please note that our new auth provider disables IdP-initiated login by default as it carries a security risk. Please see the Auth0 documentation for more info. To simulate an IdP-initiated login, ensure that the ‘Sign on URL’ is set to your custom login SP-initiated login URLs, that should have been provided to you (please reach out to support@beamery.com if you believe you don’t have these)
       

      Your connection config should look something like this:

      AzureADSetupSAML.png
      And your nameidentifier config claim should look something like this:

  2. Provide us with IdP SSO certificates for the new connections

    Please send us the certificates for the new connections. We will configure these on our side and confirm when these are ready to test.

  3. Test the new connections
    Once we have confirmed that the connections are ready to test, please ask somebody with an existing Beamery account to test a login using the new item in the My Apps portal
  4. Migrate users to the new connections via IdP config
    When you’re ready, replace all of your users’ access to the previous connections, with access to the new connections
  5. Confirm migration complete
    Once you have performed this final step and all your users are using the new connections, please let us know.
    We will make an update on our side that will update all the previous login URLs to route through the new connection
  6. Clean up the old connections
    When you’re confident that all users are logging in successfully with the new connections, please feel free to delete the old ones.

How do I migrate to Auth0 with Okta?

These steps can be followed by a member of your IT team.

  1. Create new SSO connections

    • Your IT team will need to create a new SSO connection for each environment (sandbox and production), configured with our new service provider metadata, would you should have been provided (please reach out to support@beamery.com if you believe you don’t have this)
    • The new connections should be added alongside your existing ones to allow both authentication methods to run in parallel while testing. Once the migration is complete, the old connections can be deleted.

    • For most customers, the SAML NameID value should be the user’s email address. If your IdP uses a custom SSO user identifier (i.e. the NameID is not the user’s email address), the user’s email must be provided as a separate SAML attribute named ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’.


      Your connection config should look something like this:

     

  2. Provide us with metadata for the new connections
    • Please send us the metadata link for the new connection. We will configure these on our side and confirm when these are ready to test.
  3. Test the new connections
    • Once we have confirmed that the connections are ready to test, please ask somebody with an existing Beamery account to test a login using your custom login SP-initiated login URLs, that should have been provided to you (please reach out to support@beamery.com if you believe you don’t have these)
  4. Create bookmark apps to these links
    • Our new auth provider disables IdP-initiated login by default as it carries a security risk. Please see the Auth0 documentation for more info.
    • To maintain your users’ existing workflow of logging in via your Identity Provider without enabling IdP-initiated SAML, we recommend that you create ‘bookmark’ apps that open our SP-initiated login URLs. For additional guidance on how to follow this pattern, please see Okta’s documentation: https://help.okta.com/en-us/content/topics/apps/apps_bookmark_app.htm
  5. Migrate users to the new connections with Okta
    • When you’re ready, replace your users’ access to the previous connections, with access to these new bookmarks.
  6. Confirm migration complete
    • Once you have performed this final step and all your users are using the new connections, please let us know.
    • We will make an update on our side that will update all the previous login URLs to route through the new connection.
  7. Clean up the old connections
    • When you’re confident that all users are logging in successfully with the new connections, please feel free to delete the old ones.

How do I migrate to Auth0 with JumpCloud?

Please refer to How do I migrate to Auth0 with Okta for configuring JumpCloud, as this follows a similar pattern.

What configuration is required if my IdP sends a custom SSO user identifier?

  • If your IdP uses a custom SSO user identifier (i.e. the NameID is not the user’s email address), the user’s email must be provided as a separate SAML attribute named ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’.

Does this technical change require contractual changes?

Auth0 is already included on Beamery's Subprocessor List from 2024 therefore rolling out this new authentication solution will not involve any contractual changes or additional data privacy notifications.

What information will Auth0 have access to?

For customers using Single Sign-On (SSO), your organization remains the source of truth for user login details — we never see your password. For customers who log in directly using email and password, we use Auth0 to securely manage login credentials, with passwords encrypted and stored following industry best practices.

In both cases, Auth0 stores basic user profile information such as email address, login history, and each user’s Beamery role (e.g. Marking Admin, Sourcing Standard). This information is only ever used to support secure authentication and authorization within our platform.

Can I elect to remain on the existing login solution?

We’re moving all customers to our new login system powered by Auth0 to ensure consistent security standards and simplify ongoing support. Our plan is to fully retire the existing solution, so continuing with this won’t be possible. This change enables us to offer a more secure and reliable authentication experience across the board.

How does SSO work with Beamery and Auth0

Beamery will continue to support both service-provider and identity-provider initiated SAML login. For the sake of demonstration, the following sequence diagram demonstrates the process for a service-provider initiated login with Beamery’s new Auth0-powered authentication solution:

Does this migration involve changing our SSO connection to OAuth instead of SAML?

Auth0 is a third-party SaaS provider that Beamery now uses to manage authentication. It’s not the same as OAuth, which is an authentication standard. While Auth0 supports configuring SSO connections using OAuth, Beamery will continue using SAML for user SSO authentication for the time being. We do now support OAuth 2.0 for authenticating with our API, but this is specifically for API integrations. User SSO authentication will continue to use SAML.

Does this change impact our Beamery API integrations?

This migration only affects user logins, and integrations authenticating with basic auth will not be disrupted.

While we do now offer OAuth 2.0 authentication for our API, we don’t currently have plans to deprecate basic auth.

Please see our documentation on this if you’re interested in moving to OAuth for integration anyway to benefit from the security benefits that this brings: https://frontier.beamery.com/swagger-ui/#how-to-authenticate. 
 
 

More in this Section
Auth0 User Login Migration FAQ
Beamery SSO Fact Sheet
How to set up Okta SAML with Beamery
SSO configuration Guide for Azure