SSO Go-Live Checklist
Run through this before turning on SSO for real customers in production. Each item links to the relevant guide.
Configuration
- SSO is enabled at the project level (Authentication Methods → SSO).
- Each customer tenant has a SAML or OIDC connection configured and tested.
- Users are routed to the right tenant, either by SSO Domain or tenant slug/ID.
- Attribute and group/role mapping are configured and verified. For OIDC, confirm the IdP actually sends a groups claim (see OIDC group claims).
- Post-authentication redirect URLs are set (project and/or tenant level) and use HTTPS in production. This is required for IdP-initiated login.
Application
- Your app initiates SSO and handles the callback, using Flows or the backend / client SDK.
- Your backend validates the returned Descope token, and the tenant it belongs to, before creating a session.
- You've handled SSO failures gracefully (see the SSO error codes).
- You've tested both SP-initiated and IdP-initiated login.
Test End-to-End
- Tested with a real IdP, or with a Mock SAML tenant if you don't have one yet.
- Confirmed users land authenticated with the roles you expect.
- Checked the Audit page for the
LoginSucceededevent and reviewed any failures.
Customer Self-Service (Recommended)
- Decided how customers configure their own IdP: hand off an SSO Setup Suite link, embed it, or use the Admin Portal.
- Confirmed the SSO Setup Suite plan availability for your project.
Production
- Using your production Project ID (and production access keys for management calls).
- Descope can reach the IdP endpoints. If the IdP restricts inbound traffic, allowlist Descope's static IPs.
- Reviewed the identity-merging behavior and configured SSO Domain association to avoid duplicate accounts.
- Prefer IdP metadata URLs where possible, and know how you'll handle certificate / metadata rotation.
Was this helpful?