SSO (Single Sign-on) with OIDC

We highly recommend having your customer/tenant set up SSO for their own organization using our SSO Setup Suite. The SSO Setup Suite walks your customers through the entire SSO Configuration process, with templates for all common IdPs, and allows them to test the connection, minimizing any back and forth or setup errors.

If your customer is unable to use the SSO Setup Suite for any reason, you can utilize the instructions below to configure SSO with your customer's OIDC Provider.

The below configuration can be done under Authentication Methods --> SSO when you select a tenant from the Tenant tab of the Descope Console.

Configuring SSO with OIDC

Before you start

To configure OIDC SSO, you'll need to gather some information from your IdP. The exact requirements depend on which OAuth 2.0 flow you're using:

Authorization Code Flow (Recommended)

You'll need:

• Client ID and Client Secret
• All OIDC endpoints (Authorization, Token, User Info, JWKs)
• Optional: Issuer URL and Prompt type

Implicit Flow with Form Post

You'll need:

• Client ID
• Authorization and User Info endpoints
• Optional: Issuer URL and Prompt type

All Settings

Here's a comprehensive overview of all the OIDC settings you can configure:

Tenant Details

• SSO Domains: Email domain(s) that will use this SSO configuration
• JIT Provisioning: Controls whether user attributes and groups are updated from your IdP. Enable this by default unless you're using SCIM for user management

Account Settings

• Provider Name: The name of your IdP (e.g., "Okta", "Azure AD")
• Client ID: Your application's unique identifier from the IdP
• Client Secret: A confidential key from your IdP (not needed for Implicit Flow)
• Scopes: Permissions your app requests from the IdP (e.g., email, profile, groups)
• Grant Type: The OAuth 2.0 flow to use:
  • Authorization Code
  • Implicit Flow with Form Post

Connection Settings

• Issuer: Your IdP's unique identifier (required by some providers)
• Authorization Endpoint: Where users are sent to log in
• Token Endpoint: Where your app requests access and ID tokens
• User Info Endpoint: Where your app gets user profile information
• JWKs Endpoint: Where your app gets public keys for token verification

Prompt

• Prompt: Controls the login experience at your IdP:
  • login: Force users to log in
  • consent: Force users to grant permissions
  • none: Use existing session if available

SSO Mapping

• User Attribute Mapping: Map IdP attributes to Descope user attributes:
  • email → Email
  • name → Display Name
  • picture → Profile Picture
  • etc.

SCIM Provisioning

You're able to automatically generate a SCIM Bearer token to configure SCIM with your OIDC SSO IdP in this section.

The SCIM URL will automatically be populated in the SCIM URL field.

Advanced Settings

• Manage tokens from provider: If enabled, Descope will manage the OAuth tokens from your IdP.
• Callback Domain: The domain for SSO callback responses
• Callback URL: The URL your IdP will call after authentication
• Redirect URL: Where users go after successful login

Account Settings

This section is where you will configure your Client ID, Client Secret (if applicable), and all of the necessary scopes needed for your OIDC request to your IdP.

Connection Settings

Here is where you will need to provide all of your IdP related endpoint locations. For more information on Descope's endpoints, as an OIDC provider, you can visit this docs page.

Prompt

The Prompt option allows you to specify the type of user interaction required at the IdP. For instance, Login will force the user to enter their credentials regardless of current session status. For more information on how Prompt works, and what you can do with this option, you can read about it under our Custom Provider page.

Attribute Mapping Best Practices

User Attribute Mapping maps the attributes supported by Descope to the attribute label you defined when setting up your application with your IdP. Configure as many of the supported attributes as you require. The Descope attribute Email is required.