Authentication

SSO (Single Sign-On)

Descope supports both SAML 2.0 and OAuth 2.0 specifications for Single Sign-On (SSO), allowing you to integrate with any identity provider (IdP) that implements either standard. To get started with SSO:

  1. Enable SSO in your project by navigating to Authentication Methods --> SSO
  2. Select "Service Provider" and toggle it on
  3. Configure SSO settings for each tenant individually through the Tenants page

Note

SSO is only implemented for tenants and not at a project level. Add at least one tenant to the project to implement an SSO authentication flow.

SSO Acronyms

Here are the key terms you'll encounter when setting up SSO:

  • Identity Provider (IdP): Your SSO provider (like Okta, Azure AD, or Google Workspace) that handles user authentication
  • Service Provider (SP): Your application that users want to access. With Descope, you don't need to implement the complex SP side of SSO - we handle that for you.

You are the SP providing your customers SSO access to your website, application, or service. Descope will act on your behalf as the SP, so you don't have to wade through the complexities of implementing SSO.

Tenant Identification Methods

No matter which authentication method your IdP uses, you have multiple options for identifying which tenant a user belongs to:

Since SSO configuration is managed at the tenant level, you need to define how users are linked to their specific tenant before they can authenticate with the appropriate IdP.

Note

It's also worth noting that a tenant can have multiple SSO providers associated with it, allowing login with different SSO providers for different user groups within the same tenant. Read more about this in the multiple SSO providers use case guide.

Option 1: SSO Domains (Optional)

You can configure SSO domains under Tenants -> Select Tenant -> Authentication Methods -> SAML/OIDC. This creates an allowed list of email domains associated with this tenant. When configured, only end users from the listed email domains can sign in with this tenant's associated SAML/OIDC identity provider (IdP).

Tenant NameSSO DomainUser's Accessibility
SSO Tenant 1company-a.comAll end users signing in from the @company-a.com email domain will be authenticated using the SSO Tenant 1 SSO authentication flow
SSO Tenant 2company-x.com, company-y.comAll end users signing in from the @company-x.com or @company-y.com email domains will be authenticated using the SSO Tenant 2 SSO authentication flow

Option 2: Tenant Slug or ID

For more information on flow input parameters, visit our Auth Helpers docs page.

If you have users from multiple domains in a single tenant, or if you cannot use domain association with your SSO provider, you can use the tenant slug or ID instead. This can be passed through the flow component, allowing you to route users to the correct tenant regardless of their email domain.

When using tenant slugs or IDs, you don't need to configure SSO domains. This is particularly useful when:

  • Multiple domains exist within a single tenant
  • Your SSO provider doesn't support domain-based routing
  • You want more flexibility in how users are assigned to tenants

Once you've chosen your tenant identification method, you can check out the following guides, depending on whether you're configuring a SAML or OIDC SSO provider for your Tenant:

General SSO Configuration

These settings apply to all tenants using SSO in your project. You can configure them in the Descope Console under Authentication Methods --> SSO settings.

Convert Existing Users to SSO-only

When enabled (default), this setting determines how users are converted to SSO-only authentication. This means that once a user successfully authenticates via SSO, they will only be able to sign in using SSO in the future. Here's what happens in different scenarios:

What You Should Know

  1. When Tenant Exists Before User:

    • If a tenant is already set up with a domain association
    • And a user signs in with an email matching that domain
    • The user will be added to the tenant
    • If the tenant later enables SSO, and the user signs in via SSO
    • The user will be converted to SSO-only authentication

  2. When User Exists Before Tenant:

    • If a user already has an account before a tenant is created
    • And that tenant is later created with domain/SSO
    • The user won't be automatically associated with the tenant
    • If the user tries to sign in via SSO with the same email
    • A new SSO-only account will be created, resulting in duplicate accounts

Auto-Association Configuration

To handle the "User Created First" scenario, you can enable auto-association in your specific tenant settings:

  • Email Domain Auto-Association: Automatically associate existing users with matching email domains to newly created tenants
  • SSO Domain Auto-Association: When enabled, existing users will be:
    • Associated with the tenant if their email matches the SSO domain
    • Converted to SSO users when they first authenticate via SSO
    • Merged with their existing account instead of creating a duplicate

email domain

sso domain

Note

Auto-association helps prevent duplicate accounts by merging existing users with their SSO identities when the email addresses match. This is particularly useful when users have existing accounts with personal emails that later become their SSO email addresses.

Post Authentication Redirect URL

  • Default Redirect URL: The URL where users are redirected after successful SSO authentication. This can be:
    • A static URL (e.g., https://myapp.com/dashboard)
    • A dynamic URL using tenant information:
      • {{tenant.domain}} - The tenant's domain
      • {{tenant.name}} - The tenant's name
      • {{tenant.selfProvisionDomain}} - The email domain that allows tenant self provisioning

SSO dynamic redirect URL configuration

Example of a dynamic redirect URL in action: SSO dynamic redirect URL example

This can be overridden by:

  • Tenant-specific redirect URLs
  • URLs specified in the SDK or API calls

User Attributes

  • Mandatory User Attributes: Define which Descope user attributes must be populated when receiving SSO information. This ensures that your SSO configuration provides all necessary user data.

Fine-Grained Authorization (FGA)

  • Mappable FGA Types: Select which FGA schema types are available for tenant admins to use when mapping SSO groups. This controls which types of access control can be managed through SSO group mappings.

Note

These general settings provide a foundation for SSO across your project. Individual tenants can have additional configurations detailed further down in this guide.

SSO Setup Suite Configuration

The SSO Setup Suite allows your customers to self-configure their SSO integration. These settings control how the suite works across all tenants.

Access Control

Configure who can access and use the SSO Setup Suite:

  • FGA Permission: Required FGA permissions to access the suite

SSO Setup Suite access control

Styling

You can apply a custom style for the SSO setup suite, that can customize the appearance of the SSO Setup Suite to match your brand.

Invitation Configuration

Control how users are invited to set up SSO:

  • Connector: Which email connector to use for sending the invitation email.
  • Email Template: Customize the invitation email content and design
  • Expiration: Set how long the SSO Setup Suite invitation remains valid

SSO Setup Suite invitation settings

Configuring SSO with SAML

Before you start

To configure SSO within a tenant, you'll need to provide Descope with your IdP's configuration details.

You can provide these details in two ways:

If your IdP provides a metadata URL, use this method. Descope will automatically:

  • Retrieve all required configuration details
  • Update settings if your IdP configuration changes
  • Ensure your SSO connection stays up-to-date

Option 2: Manual Configuration

Alternatively, you can manually copy and paste each required piece of information from your IdP into Descope.

All Settings

Here's a comprehensive overview of all the settings you can configure for SSO:

Tenant Details

  • SSO Domains: Email domain(s) that will use this SSO configuration
  • JIT Provisioning: Controls whether user attributes and groups are updated from your IdP. Enable this by default unless you're using SCIM for user management

Identity Provider (IdP) Settings

  • Metadata URL: A URL containing all your IdP's connection details. This is the easiest way to configure SSO as it automatically updates if your IdP settings change
  • Login URL: The URL where users are redirected to sign in (also called "SSO URL" or "Single Sign-on URL")
  • Entity ID: A unique identifier for your IdP
  • Certificate: The certificate used to verify the authenticity of messages between your IdP and Descope

Post-Authentication Redirect URL

  • Redirect URL: The default URL where users are sent after successful sign-in. This is an optional argument in the API and SDKs, and the URL provided in the API or SDK will take precedence over the URL entered here.

Service Provider (SP) Settings

These are the settings you'll need to configure in your IdP:

  • Descope Entity ID: Your unique identifier in the SAML communication
  • Descope ACS URL: The endpoint where your IdP sends authentication responses
  • Descope XML URL: Metadata URL for your Descope configuration (read-only)

SSO Keys

By default Descope signs the SAML request using our internal private key. However, if you prefer, you can upload your custom private key instead.

You can also override the key pair for handling the IdP SAML response encryption, with your custom private key as well.

SSO keys

SSO Mapping

  • User Attribute Mapping: Maps IdP attributes (like email and phone) to Descope user attributes
  • Group Mapping:
    • Groups Attribute Name: The attribute your IdP uses to identify groups
  • RBAC Group Mapping: Map SSO Groups from your IdP to Descope roles.
    • IdP Group Name: The name of the group in your IdP
    • Descope Role: The Descope role to assign to users in this group
  • Default Roles: Assign default roles to users who are automatically provisioned from your IdP with JIT.
  • FGA Group Mapping: Map SSO Groups from your IdP to FGA types and relations.

SCIM Provisioning

You're able to automatically generate a SCIM Bearer token to configure SCIM with your SAML SSO IdP in this section.

The SCIM URL will automatically be populated in the SCIM URL field.

SCIM provisioning in SSO setup

Identity Provider (IdP)

The Identity Provider (IdP) section contains all the application information you registered with your IdP, including the Login URL, Entity ID, and Certificate.

Descope needs these details so we can act as the SP on your behalf. Paste the information from your IdP into the console, or enter the Metadata URL if your IdP provides it.

Post Authentication Redirect URL

Note

When using IdP-Initiated Authentication with Descope Flows, you must provide a Post Authentication Redirect URL.

The Redirect URL is the default URL an end user is redirected to after a successful SSO authentication.

You can also set this as an optional argument in the API and SDKs, and the URL provided in the API or SDK will take precedence over the URL entered here.

Service Provider (SP)

The Service Provider (SP) section contains all the application information necessary to configure your application within your IDP. The data presented here are specific to the tenant you are configuring SSO for.

SSO User Mapping

SSO User Mapping maps the attributes supported by Descope to the attribute label you defined when setting up your application with your IdP. Configure as many of the supported attributes as you require. The Descope attribute Email is required.

Note

Descope also allows you to map attributes from your IdP to custom user attributes when configuring your attribute mapping.

User Attribute Mapping

In the example below, we demonstrate how to map user attributes between your Identity Provider (IdP) and Descope. The table illustrates three sample attributes email, login, and phone, and shows how they are defined in both the IdP console and the Descope console.

To store specific attributes about your end users, first configure them in your IdP console, then add the corresponding mappings in the Descope console.

IdP Attributes NameDescope Attribute
emailEmail
loginDisplay Name
phonePhone Number

Note

By default, in Microsoft Entra ID (formerly Azure AD), the user attributes within the assertion are sent in a link format (e.g., as URIs). An example of this would be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for the user's email address. Be sure to configure them correctly to ensure proper mapping with Descope.

Group Mapping

Group Mapping is a key feature in Descope's SSO solution, allowing you to integrate role-based access control from your IdP into your Descope-powered application.

How Group Mapping Works

Descope enables you to map groups defined in your IdP to roles within your Descope-powered applications.

  1. Define Groups in Your IdP: Groups are typically defined in your IdP, representing organizational units, roles, or departments (e.g., "Engineering," "HR," "Sales").
  2. Map Groups to Roles in Descope: Use the Descope Console to create role mappings that associate each IdP group with a corresponding role in Descope. For example, the "HR" group in your IdP can map to an "HR Team" role in Descope.
  3. Automatic Role Assignment on Login: When users authenticate through SSO, Descope receives group information from the IdP, then automatically assigns them the appropriate role based on the mappings you've configured.
  4. Access Control Based on Roles: Roles defined in Descope then dictate what permissions and resources are available to the user within your application, allowing for efficient, centralized access control.

group-mapping

Configuring Group Mapping

To set up group mapping in Descope, follow these steps:

Step 1: Define Roles in Descope

  1. Log into your Descope Console.
  2. Navigate to Tenant Management and select the tenant where you want to set up group mappings.
  3. Under Roles & Permissions, define roles that correspond to the groups in your IdP. For example, create roles like "Finance Team" or "Engineering Lead" to match your organization's structure.

Step 2: Map IdP Groups to Descope Roles

  1. In the SSO Configuration tab for the selected tenant, locate the Group Mapping section.
  2. Specify the Groups Attribute Name - the attribute in your IdP that identifies user groups (e.g., "groups" for Azure AD).
  3. Map each IdP group (e.g., "Engineering") to a specific Descope role (e.g., "Developer Team") by entering the IdP Group Name and selecting the corresponding Descope Role.

Tip: Test each mapping after configuration to verify that users in the IdP group are assigned the correct roles in Descope.

Using Group Mapping with Other IdPs

You can also configure group mappings for other IdPs, such as Okta and Google Workspace, following similar steps. Ensure you check each IdP's documentation on enabling group claims in SAML assertions or OIDC tokens.

For more guidance, explore these resources:

Self-Service SSO Provisioning

Descope empowers your customers to independently configure their SSO (SAML/OIDC) integration with your application. With the Descope SSO Setup Suite, customers are guided through a step-by-step user interface to set up their SSO provider seamlessly.

Read more about the Descope SSO Setup Suite here.

IdP-Initiated SSO

For a detailed walkthrough on implementing IdP-Initiated SSO using Descope Flows and SDKs, refer to the guide here: Implementing IdP-Initiated SSO with Descope Flows.

Configuring SSO with OIDC

Before you start

To configure OIDC SSO, you'll need to gather some information from your IdP. The exact requirements depend on which OAuth 2.0 flow you're using:

You'll need:

  • Client ID and Client Secret
  • All OIDC endpoints (Authorization, Token, User Info, JWKs)
  • Optional: Issuer URL and Prompt type

Implicit Flow with Form Post

You'll need:

  • Client ID
  • Authorization and User Info endpoints
  • Optional: Issuer URL and Prompt type

Note

Some IdPs may require additional configuration:

  • The Issuer URL for validating tokens
  • A specific Prompt type for controlling the login experience
  • The JWKs endpoint for token verification

All Settings

Here's a comprehensive overview of all the OIDC settings you can configure:

Tenant Details

  • SSO Domains: Email domain(s) that will use this SSO configuration
  • JIT Provisioning: Controls whether user attributes and groups are updated from your IdP. Enable this by default unless you're using SCIM for user management

Account Settings

  • Provider Name: The name of your IdP (e.g., "Okta", "Azure AD")
  • Client ID: Your application's unique identifier from the IdP
  • Client Secret: A confidential key from your IdP (not needed for Implicit Flow)
  • Scopes: Permissions your app requests from the IdP (e.g., email, profile, groups)
  • Grant Type: The OAuth 2.0 flow to use:
    • Authorization Code
    • Implicit Flow with Form Post

Connection Settings

  • Issuer: Your IdP's unique identifier (required by some providers)
  • Authorization Endpoint: Where users are sent to log in
  • Token Endpoint: Where your app requests access and ID tokens
  • User Info Endpoint: Where your app gets user profile information
  • JWKs Endpoint: Where your app gets public keys for token verification

Prompt

  • Prompt: Controls the login experience at your IdP:
    • login: Force users to log in
    • consent: Force users to grant permissions
    • none: Use existing session if available

SSO Mapping

  • User Attribute Mapping: Map IdP attributes to Descope user attributes:
    • email → Email
    • name → Display Name
    • picture → Profile Picture
    • etc.

SCIM Provisioning

You're able to automatically generate a SCIM Bearer token to configure SCIM with your OIDC SSO IdP in this section.

The SCIM URL will automatically be populated in the SCIM URL field.

SCIM provisioning in SSO setup

Advanced Settings

  • Manage tokens from provider: If enabled, Descope will manage the OAuth tokens from your IdP.
  • Callback Domain: The domain for SSO callback responses
  • Callback URL: The URL your IdP will call after authentication
  • Redirect URL: Where users go after successful login

Note

The Callback URL will automatically update if you change your custom domain in the Descope Console.

Account Settings

This section is where you will configure your Client ID, Client Secret (if applicable), and all of the necessary scopes needed for your OIDC request to your IdP.

Connection Settings

Here is where you will need to provide all of your IdP related endpoint locations. For more information on Descope's endpoints, as an OIDC provider, you can visit this docs page.

Prompt

The Prompt option allows you to specify the type of user interaction required at the IdP. For instance, Login will force the user to enter their credentials regardless of current session status. For more information on how Prompt works, and what you can do with this option, you can read about it under our Custom Provider page.

Attribute Mapping Best Practices

User Attribute Mapping maps the attributes supported by Descope to the attribute label you defined when setting up your application with your IdP. Configure as many of the supported attributes as you require. The Descope attribute Email is required.

Note

Descope also allows you to map attributes from your IdP to custom user attributes when configuring your attribute mapping.

Provider user identifierDescope user attribute
emailLogin ID (Required)
nameDisplay Name
emailEmail
picturePicture
Was this helpful?

Microsoft

When integrating Descope flows, often you'll want to allow Social Login with Microsoft as one of the authentication methods for your users.

Flows

Learn about how to utilize SSO based authentication in Flows.

On this page

SSO (Single Sign-On)SSO AcronymsTenant Identification MethodsOption 1: SSO Domains (Optional)Option 2: Tenant Slug or IDGeneral SSO ConfigurationConvert Existing Users to SSO-onlyWhat You Should KnowAuto-Association ConfigurationPost Authentication Redirect URLUser AttributesFine-Grained Authorization (FGA)SSO Setup Suite ConfigurationAccess ControlStylingInvitation ConfigurationConfiguring SSO with SAMLBefore you startOption 1: Metadata URL (Recommended)Option 2: Manual ConfigurationAll SettingsTenant DetailsIdentity Provider (IdP) SettingsPost-Authentication Redirect URLService Provider (SP) SettingsSSO KeysSSO MappingSCIM ProvisioningIdentity Provider (IdP)Post Authentication Redirect URLService Provider (SP)SSO User MappingUser Attribute MappingGroup MappingHow Group Mapping WorksConfiguring Group MappingStep 1: Define Roles in DescopeStep 2: Map IdP Groups to Descope RolesUsing Group Mapping with Other IdPsSelf-Service SSO ProvisioningIdP-Initiated SSOConfiguring SSO with OIDCBefore you startAuthorization Code Flow (Recommended)Implicit Flow with Form PostAll SettingsTenant DetailsAccount SettingsConnection SettingsPromptSSO MappingSCIM ProvisioningAdvanced SettingsAccount SettingsConnection SettingsPromptAttribute Mapping Best Practices