Single Sign On (SSO) with Backend SDKs
This guide is meant for developers that are NOT using Descope on the frontend to design login screens and authentication methods.
If you'd like to use Descope Flows, Quick Start should be your starting point. If you'd like to use our Client SDKs, refer to our Client SDK docs.
Descope supports SSO as one of the authentication methods for your end-users. When using SSO, the SSO configuration can be different for each tenant. Descope supports OIDC and SAML identity providers, specific to each Tenant. Please refer to the article in the manage section for the configuration of SAML or OIDC for each tenant.
Backend SDK
Install SDK
Import and initialize SDK
Start SSO
To initiate the SSO process, call the SSO initiation function after the user clicks the login button. This function returns a pre-formatted URL that the client can use to redirect the user and begin the login flow with the SSO Identity Provider.
SSO Exchange Code
After successful authentication with your IdP the user is redirected to the redirect_url that you provide in the sso start
function above. Your application should extract the code from the redirect_url and perform token exchange as shown below.
Session Validation
The final step of completing the authentication with Descope is to validate the user session. Descope provides rich session management capabilities, including configurable session timeouts and logout functions. You can find the details and sample code for backend session validation here.
Checkpoint
Your application is now integrated with Descope. Please test with sign-up or sign-in use case.