SSO (Single Sign-on) with OIDC
We highly recommend having your customer/tenant set up SSO for their own organization using our SSO Setup Suite. The SSO Setup Suite walks your customers through the entire SSO Configuration process, with templates for all common IdPs, and allows them to test the connection, minimizing any back and forth or setup errors.
If your customer is unable to use the SSO Setup Suite for any reason, you can utilize the instructions below to configure SSO with your customer's OIDC Provider.
The below configuration can be done under Authentication Methods --> SSO when you select a tenant from the Tenant tab of the Descope Console.
Configuring SSO with OIDC
Before you start
To configure OIDC SSO, you'll need to gather some information from your IdP. The exact requirements depend on which OAuth 2.0 flow you're using:
Authorization Code Flow (Recommended)
You'll need:
- Client ID and Client Secret
- All OIDC endpoints (Authorization, Token, User Info, JWKs)
- Optional: Issuer URL and Prompt type
Implicit Flow with Form Post
You'll need:
- Client ID
- Authorization and User Info endpoints
- Optional: Issuer URL and Prompt type
Note
Some IdPs may require additional configuration:
- The Issuer URL for validating tokens
- A specific Prompt type for controlling the login experience
- The JWKs endpoint for token verification
All Settings
Here's a comprehensive overview of all the OIDC settings you can configure:
Tenant Details
- SSO Domains: Email domain(s) that will use this SSO configuration
- JIT Provisioning: Controls whether user attributes and groups are updated from your IdP. Enable this by default unless you're using SCIM for user management
Account Settings
- Provider Name: The name of your IdP (e.g., "Okta", "Azure AD")
- Client ID: Your application's unique identifier from the IdP
- Client Secret: A confidential key from your IdP (not needed for Implicit Flow)
- Scopes: Permissions your app requests from the IdP (e.g.,
email
,profile
,groups
) - Grant Type: The OAuth 2.0 flow to use:
Authorization Code
Implicit Flow with Form Post
Connection Settings
- Issuer: Your IdP's unique identifier (required by some providers)
- Authorization Endpoint: Where users are sent to log in
- Token Endpoint: Where your app requests access and ID tokens
- User Info Endpoint: Where your app gets user profile information
- JWKs Endpoint: Where your app gets public keys for token verification
Prompt
- Prompt: Controls the login experience at your IdP:
login
: Force users to log inconsent
: Force users to grant permissionsnone
: Use existing session if available
SSO Mapping
- User Attribute Mapping: Map IdP attributes to Descope user attributes:
email
→ Emailname
→ Display Namepicture
→ Profile Picture- etc.
SCIM Provisioning
You're able to automatically generate a SCIM Bearer token to configure SCIM with your OIDC SSO IdP in this section.
The SCIM URL will automatically be populated in the SCIM URL field.
Advanced Settings
- Manage tokens from provider: If enabled, Descope will manage the OAuth tokens from your IdP.
- Callback Domain: The domain for SSO callback responses
- Callback URL: The URL your IdP will call after authentication
- Redirect URL: Where users go after successful login
Note
The Callback URL will automatically update if you change your custom domain in the Descope Console.
Account Settings
This section is where you will configure your Client ID, Client Secret (if applicable), and all of the necessary scopes needed for your OIDC request to your IdP.
Connection Settings
Here is where you will need to provide all of your IdP related endpoint locations. For more information on Descope's endpoints, as an OIDC provider, you can visit this docs page.
Prompt
The Prompt
option allows you to specify the type of user interaction required at the IdP. For instance, Login
will force the user to enter their credentials regardless of current session status.
For more information on how Prompt works, and what you can do with this option, you can read about it under our Custom Provider page.
Attribute Mapping Best Practices
User Attribute Mapping maps the attributes supported by Descope to the attribute label you defined when setting up your
application with your IdP. Configure as many of the supported attributes as you require. The Descope
attribute Email
is required.
Note
Descope also allows you to map attributes from your IdP to custom user attributes when configuring your attribute mapping.
Provider user identifier | Descope user attribute |
---|---|
Login ID (Required) | |
name | Display Name |
picture | Picture |