Implementing SSO from Scratch
This guide covers how to implement SSO from start to finish using Descope in your application.
Descope provides many convenient features that allow you to do this, including but not limited to: our Self-Service SSO Configuration Widget, our Tenant Management functions, and our native and certified support of SAML 2.0 and OAuth 2.0 standards.
Prerequisites
Before implementing the Self-Service SSO provisioning, there are some prerequisites you will need to implement. These items are defined below:
- SSO Enabled as an authentication method via API and SDK
- A Tenant within Descope
- An existing user within Descope with the
SSO Adminpermission.
1. Ensure that the SSO method is enabled via API and SDK
The SSO authentication method should be enabled for this to work. This should be enabled by default, unless previously changed.
Go to the SSO authentication method in your Descope project and verify that the toggle for Enable method in API and SDK is enabled.
2. Create a New Tenant
Creating a Tenant with Flows
You can create a Tenant with Flows, using the Create Tenant action.
Creating a Tenant Manually within the Console
You can create a tenant manually in the Descope Console, under Tenants. In the console, is where you can also define tenant custom attributes, configure SSO connections, create authorization policies, and more.
Creating a Tenant with SDKs or APIs
If you wish to programmatically create a tenant with either our SDKs or APIs, you can visit the respective guides linked below, for more information on
Here is an example of a tenant created from the Descope Console.
Configuring SSO with a Tenant
You can read about how to use the self-service SSO configuration widget in our docs page.
There are two main ways to configure SSO for tenants in Descope.
You can configure it yourself as a Descoper from Tenant Settings, or have the admins of your tenant do it on your behalf.
The latter option is the most popular, as it doesn't involve any interaction with your customers and customers' customers.
You can choose to send an invite link to access a hosted version of our widget, or embed the widget for tenant admins of yours to use from within your own application.
Once you've configured it with either of the two methods above, or configured SSO yourself, you are ready to move onto the final step.
Using SSO as an Authentication Method
Once you've successfully configured SSO, the final step is to utilize it in your application as an authentication method. This can be done with Descope in a multitude of ways.
With Flows
You can simply use Descope Flows with the SSO action to authenticate with your newly configured external identity provider (IdP). Read more about it here.
Using Tenant Parameter
When using Flows, you can feed a tenant parameter into your flow, to automatically tell the flow which SSO provider (associated with said tenant) should be used and redirected to with the SSO action.
With this, there are a lot of interesting use cases which you can read about in our doc on Applications.
With SDKs
You can use Descope SDKs to authenticate with your pre-configured SSO provider as well. Read more about it here.
With APIs
You can use Descope SDKs to authenticate with your pre-configured SSO provider as well. Read more about it here.
Conclusion
In conclusion, adding SSO to your existing applications with Descope is relatively painless.
If you're confused by any of these steps, please feel free to reach out to us via our support methods.