SSO (Single Sign-On) APIs
Use the SSO (Single Sign-On) APIs to let end users sign-in to all authorized using the same credentials.
Overview
Implementing SSO using the APIs is a two step process:
- Sign-In - Call the Start SSO endpoint to authenticate your end user. After the end user has successfully signed-in you will get a unique code, which will be exchanged for a user object in the next step.
Access authorization to a specific service provider application can be managed in any of the following ways:
- (recommended) Map and manage end user access using Descope roles and groups for a specific tenant
- Manage access manually using the roles and access mechanism provided by each individual service provider
- Exchange Code - call the Exchange SSO Code endpoint which will exchange the unique code for a user object, which includes the session JWT
sessionJwtand refresh JWTrefreshJwt.
Implementing SSO
Sign-in
Call the Start SSO endpoint to authorize your end user to sign-in. Descope will walk the end user through the SSO sign-in process. The endpoint takes two arguments:
tenant- specific tenant for which to sign-in the end userredirectURL- destination URL you want the end user session to be redirected to after successfully signing in
The API response returns url, which is theredirectURL with a unique code (<unique-code\>) appended as a URL parameter. For example, if redirectURL = https://sso.mycompany.com/mywork.htm then url = https://sso.mycompany.com/mywork.htm?code=<unique-code\>.
After the end user has been successfully authenticated with the identity provider (IdP) the end user session is redirected to url.
Exchange Code
In your source code that responds to user session being redirected to url, exchange the unique code (<unique-code\>) from the URL parameter for a Descope user object.
- Extract the unique code (
<unique-code\>) from the URL parameter. - Call the Exchange SSO Code endpoint.
The endpoint response will return a valid User Object, which includes the session JWT sessionJwt and refresh JWT refreshJwt.
Get NoTP Pending Session POST
Get a session that was generated by NOTP Sign in / Sign up request, and verified with Verify request ### Endpoint Authentication Use authorization bearer header with the following format: `Authorization: Bearer <Project ID>`
Start SSO POST
### Authorize end user to sign-in using SAML SSO Initiate a SAML SSO (Single Sign-On, "sign-in" in Descope terminology) process for an end user. Descope will coordinate the sign-in process with the service provider. Specify the URL you want to redirect the end user to after a successful sign-in in the `redirectURL` parameter. When the SSO sign-in completes successfully, the endpoint returns a URL `url` that has a unique code `<unique-code\>`, also called a token) appended as a URL parameter to the `redirectURL` you provided. For example, if `redirectURL = https://sso.mycompany.com/mywork.htm` then `url = https://sso.mycompany.com/mywork.htm?code=<unique-code\>`. The unique code will be exchanged for a valid user object in the next step. After the end user has been successfully authenticated with the identity provider (IdP) the end user session is redirected to `url`. ### Next Steps Call the [Exchange Code](/api/sso/exchange-code) endpoint from the flow that responds to the URL specified in the `redirectURL` field, to exchange the unique code for a user session object. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on the stepup, mfa, and customClaims parameters. ### Endpoint Authentication Use authorization bearer header with the following format: `Authorization: Bearer <Project ID>`