SSO Go-Live Checklist

Run through this before turning on SSO for real customers in production. Each item links to the relevant guide.

Configuration

Application

  • Your app initiates SSO and handles the callback, using Flows or the backend / client SDK.
  • Your backend validates the returned Descope token, and the tenant it belongs to, before creating a session.
  • You've handled SSO failures gracefully (see the SSO error codes).
  • You've tested both SP-initiated and IdP-initiated login.

Test End-to-End

  • Tested with a real IdP, or with a Mock SAML tenant if you don't have one yet.
  • Confirmed users land authenticated with the roles you expect.
  • Checked the Audit page for the LoginSucceeded event and reviewed any failures.
  • Decided how customers configure their own IdP: hand off an SSO Setup Suite link, embed it, or use the Admin Portal.
  • Confirmed the SSO Setup Suite plan availability for your project.

Production

  • Using your production Project ID (and production access keys for management calls).
  • Descope can reach the IdP endpoints. If the IdP restricts inbound traffic, allowlist Descope's static IPs.
  • Reviewed the identity-merging behavior and configured SSO Domain association to avoid duplicate accounts.
  • Prefer IdP metadata URLs where possible, and know how you'll handle certificate / metadata rotation.
Was this helpful?

On this page