Implementing SSO from Scratch

This guide covers how to implement SSO from start to finish using Descope in your application.

Descope provides many convenient features that allow you to do this, including but not limited to: our Self-Service SSO Configuration Widget, our Tenant Management functions, and our native and certified support of SAML 2.0 and OAuth 2.0 standards.

Prerequisites

Before implementing the Self-Service SSO provisioning, there are some prerequisites you will need to implement. These items are defined below:

1. Ensure that the SSO method is enabled via API and SDK

The SSO authentication method should be enabled for this to work. This should be enabled by default, unless previously changed.

Go to the SSO authentication method in your Descope project and verify that the toggle for Enable method in API and SDK is enabled.

Descope self service provisioning guide enable SSO auth method 1

2. Create a New Tenant

Creating a Tenant with Flows

You can create a Tenant with Flows, using the Create Tenant action.

Creating a Tenant Manually within the Console

You can create a tenant manually in the Descope Console, under Tenants. In the console, is where you can also define tenant custom attributes, configure SSO connections, create authorization policies, and more.

Creating a Tenant with SDKs or APIs

If you wish to programmatically create a tenant with either our SDKs or APIs, you can visit the respective guides linked below, for more information on

Here is an example of a tenant created from the Descope Console.

Descope self service provisioning guide create a tenant 1

Descope self service provisioning guide create a tenant 2

Configuring SSO with a Tenant

You can read about how to use the self-service SSO configuration widget in our docs page.

There are two main ways to configure SSO for tenants in Descope.

You can configure it yourself as a Descoper from Tenant Settings, or have the admins of your tenant do it on your behalf.

The latter option is the most popular, as it doesn't involve any interaction with your customers and customers' customers.

You can choose to send an invite link to access a hosted version of our widget, or embed the widget for tenant admins of yours to use from within your own application.

Once you've configured it with either of the two methods above, or configured SSO yourself, you are ready to move onto the final step.

Using SSO as an Authentication Method

Once you've successfully configured SSO, the final step is to utilize it in your application as an authentication method. This can be done with Descope in a multitude of ways.

With Flows

You can simply use Descope Flows with the SSO action to authenticate with your newly configured external identity provider (IdP). Read more about it here.

Using Tenant Parameter

When using Flows, you can feed a tenant parameter into your flow, to automatically tell the flow which SSO provider (associated with said tenant) should be used and redirected to with the SSO action.

With this, there are a lot of interesting use cases which you can read about in our doc on Applications.

With SDKs

You can use Descope SDKs to authenticate with your pre-configured SSO provider as well. Read more about it here.

With APIs

You can use Descope SDKs to authenticate with your pre-configured SSO provider as well. Read more about it here.

Conclusion

In conclusion, adding SSO to your existing applications with Descope is relatively painless.

If you're confused by any of these steps, please feel free to reach out to us via our support methods.

Was this helpful?

On this page