Add Auth0 SSO handoff export

README.md

@@ -119,16 +119,33 @@ workos-migrate export-auth0 \
   --output-dir ./migration-auth0
 ```
 
+To write only SSO handoff files:
+
+```bash
+workos-migrate export-auth0 \
+  --domain my-tenant.us.auth0.com \
+  --client-id <M2M_CLIENT_ID> \
+  --client-secret <M2M_CLIENT_SECRET> \
+  --package \
+  --entities sso \
+  --output-dir ./migration-auth0-sso
+```
+
 Options:
 
 - `--orgs <ids...>` - Filter to specific Auth0 organization IDs
+- `--entities <entities>` - Comma-separated package entities to export (`users,organizations,memberships,sso`)
 - `--rate-limit <n>` - API requests per second (default: 50)
 - `--use-metadata` - Use `user_metadata` for org discovery instead of the Organizations API
 - `--include-federated-users` - Include federated/JIT users in package mode (skipped by default)
+- `--include-secrets` - Include SSO connection secrets in package handoff files (redacted by default)
 - `--job-id <id>` - Enable export checkpointing for large tenants
 - `--resume [jobId]` - Resume a previously checkpointed export
 
 The export maps Auth0 fields to WorkOS CSV format, including `email_verified`, `external_id`, and custom metadata.
+Auth0 package SSO export is handoff-only: it inspects Auth0 enterprise strategies for SAML/OIDC configuration and emits only connections with enough reliable handoff data. Database, passwordless, social, generic OAuth, non-SAML/OIDC enterprise, and incomplete connections are skipped with warnings.
+
+For a callback proxy reference implementation during Auth0 enterprise-connection cutover, see [`proxy-sample-auth0`](proxy-sample-auth0/README.md). The repo also includes [`proxy-sample-cognito`](proxy-sample-cognito/README.md) for Cognito migrations.
 
 ### 3. Merge password hashes (optional)
 

dist/cli/commands/export-auth0.js

@@ -10,6 +10,8 @@ export function registerExportAuth0Command(program) {
         .option('--output <path>', 'Output CSV file path')
         .option('--package', 'Write a provider-neutral migration package')
         .option('--output-dir <dir>', 'Output directory for package mode')
+        .option('--entities <entities>', 'Comma-separated package entities to export (users,organizations,memberships,sso)', 'users,organizations,memberships')
+        .option('--include-secrets', 'Include Auth0 SSO connection secrets in package handoff files')
         .option('--orgs <ids...>', 'Filter to specific Auth0 org IDs')
         .option('--page-size <n>', 'API pagination size (max 100)', '100')
         .option('--rate-limit <n>', 'API requests per second', '50')
@@ -36,6 +38,8 @@ export function registerExportAuth0Command(program) {
                 output: opts.output,
                 package: opts.package ?? false,
                 outputDir: opts.outputDir,
+                entities: parseEntities(opts.entities),
+                includeSecrets: opts.includeSecrets ?? false,
                 orgs: opts.orgs,
                 pageSize: parseInt(opts.pageSize, 10),
                 rateLimit: parseInt(opts.rateLimit, 10),
@@ -56,3 +60,11 @@ export function registerExportAuth0Command(program) {
         }
     });
 }
+function parseEntities(value) {
+    if (!value)
+        return undefined;
+    return value
+        .split(',')
+        .map((entity) => entity.trim())
+        .filter(Boolean);
+}

dist/exporters/auth0/package-exporter.d.ts

@@ -1,10 +1,13 @@
-import type { Auth0ExportOptions, Auth0Organization, Auth0User, ExportSummary } from '../../shared/types.js';
+import type { Auth0Connection, Auth0ExportOptions, Auth0Organization, Auth0OrganizationConnection, Auth0User, ExportSummary } from '../../shared/types.js';
 export interface Auth0ExportClient {
     testConnection?(): Promise<{
         success: boolean;
         error?: string;
     }>;
+    getConnections?(page?: number, perPage?: number, strategy?: string | string[]): Promise<Auth0Connection[]>;
+    getConnection?(connectionId: string): Promise<Auth0Connection>;
     getOrganizations(page?: number, perPage?: number): Promise<Auth0Organization[]>;
+    getOrganizationConnections?(orgId: string, page?: number, perPage?: number): Promise<Auth0OrganizationConnection[]>;
     getOrganizationMembers(orgId: string, page?: number, perPage?: number): Promise<Array<{
         user_id: string;
     }>>;