Project-Level SSO Settings
These settings apply to all tenants using SSO in your project. You can configure them in the Descope Console under Authentication Methods --> SSO settings.
General Settings
Convert Existing Users to SSO-only
When enabled (default), this setting determines how users are converted to SSO-only authentication. This means that once a user successfully authenticates via SSO, they will only be able to sign in using SSO in the future. Here's what happens in different scenarios:
What You Should Know
-
When Tenant Exists Before User:
- If a tenant is already set up with a domain association
- And a user signs in with an email matching that domain
- The user will be added to the tenant
- If the tenant later enables SSO, and the user signs in via SSO
- The user will be converted to SSO-only authentication
-
When User Exists Before Tenant:
- If a user already has an account before a tenant is created
- And that tenant is later created with domain/SSO
- The user won't be automatically associated with the tenant
- If the user tries to sign in via SSO with the same email
- A new SSO-only account will be created, resulting in duplicate accounts
Auto-Association Configuration
To handle the "User Created First" scenario, you can enable auto-association in your specific tenant settings:
- Email Domain Auto-Association: Automatically associate existing users with matching email domains to newly created tenants
- SSO Domain Auto-Association: When enabled, existing users will be:
- Associated with the tenant if their email matches the SSO domain
- Converted to SSO users when they first authenticate via SSO
- Merged with their existing account instead of creating a duplicate
Note
Auto-association helps prevent duplicate accounts by merging existing users with their SSO identities when the email addresses match. This is particularly useful when users have existing accounts with personal emails that later become their SSO email addresses.
Post Authentication Redirect URL
- Default Redirect URL: The URL where users are redirected after successful SSO authentication. This can be:
- A static URL (e.g.,
https://myapp.com/dashboard) - A dynamic URL using tenant information:
{{tenant.domain}}- The tenant's domain{{tenant.name}}- The tenant's name{{tenant.selfProvisionDomain}}- The email domain that allows tenant self provisioning
- A static URL (e.g.,
Example of a dynamic redirect URL in action:
This can be overridden by:
- Tenant-specific redirect URLs
- URLs specified in the SDK or API calls
User Attributes
- Mandatory User Attributes: Define which Descope user attributes must be populated when receiving SSO information. This ensures that your SSO configuration provides all necessary user data.
Fine-Grained Authorization (FGA)
- Mappable FGA Types: Select which FGA schema types are available for tenant admins to use when mapping SSO groups. This controls which types of access control can be managed through SSO group mappings.
Note
These general settings provide a foundation for SSO across your project. Individual tenants can have additional configurations detailed further down in this guide.
SSO Setup Suite Settings
The SSO Setup Suite allows your customers to self-configure their SSO integration. These settings control how the suite works across all tenants.
Access Control
Configure who can access and use the SSO Setup Suite:
- FGA Permission: Required FGA permissions to access the suite
Styling
You can apply a custom style for the SSO setup suite, that can customize the appearance of the SSO Setup Suite to match your brand.
Invitation Configuration
Control how users are invited to set up SSO:
- Connector: Which email connector to use for sending the invitation email.
- Email Template: Customize the invitation email content and design
- Expiration: Set how long the SSO Setup Suite invitation remains valid