Configuring B2B SSO
This area will cover how to configure SSO within your Descope tenants. It will also cover general prerequisites, Descope's SSO Setup Suite, and generic and detailed configuration guides.
This guide will cover the prerequisites, including tenant creation and the next steps for configuring SSO for your B2B tenant.
Prerequisites for SSO Configuration
Before implementing SSO within your B2B application using Descope, there are some prerequisites you will need to implement. These items are defined below:
Ensure that the SSO method is enabled via API and SDK
The SSO authentication method should be enabled for this to work. This should be enabled by default, unless previously changed.
Go to the SSO authentication method in your Descope project and verify that the toggle for Enable method in API and SDK is enabled.
Create a New Tenant
Creating a Tenant Manually within the Console
You can create a tenant manually in the Descope Console, under Tenants. In the console, is where you can also define tenant custom attributes, configure SSO connections, create authorization policies, and more.
Here is an example of a tenant created from the Descope Console.
Creating a Tenant with SDKs or APIs
If you wish to programmatically create a tenant with either our SDKs or APIs, you can visit the respective guides linked below, for more information on
Creating a Tenant with Flows
You can create a Tenant with Flows, using the Create Tenant action. Visit this guide
for more details on creating tenants via flows.
Configuring SSO with a Tenant
Once you have completed the prerequisites, you can configure SSO for your B2B tenant. There are generally three ways to do so.
SSO Setup Suite
When it comes to configuring SSO with your B2B customers, Descope understands that the configuration can be complex and iterative when manually working with customers to configure their IDP. To resolve these struggles, Descope has developed the SSO Setup Suite. The SSO Setup Suite enables your customers to be self-sufficient in configuring their IdP to work with your application.
Read more about the Descope SSO Setup Suite here.
SSO Configuration Flow
Note
The SSO configuration flow is only supported to be embedded within your application similar to Descope widgets.
The SSO Configuration flow is no longer being updated with new IdP guides, and we recommend using the SSO Setup Suite whenever possible.
Descope allows you to embed a widget-like version of the SSO Setup Suite within your application. The SSO config flow is embedded like other Descope flows and allows your tenants' administrators to configure their own SAML/OIDC external IdPs with Descope. This allows your B2B customers to configure their SSO without directly interacting with you as the application administrator.
Detailed documentation for the SSO configuration flow is located here.
Manual Configuration
You can manually work with your customer to pass the details of the SAML configuration back and forth and configure them manually within the tenant settings page for the applicable tenant.
Guides
Keycloak
Use this guide to enable SSO for Descope using OIDC and SAML with Keycloak as the IdP
Okta
Use this guide to enable SSO for Descope using OIDC and SAML with Okta as the IdP
Ping Identity (OIDC)
Use this guide to enable SSO for Descope using OIDC with Ping Identity as the IdP
Use this guide to enable SSO for Descope using OIDC and SAML with Google as the IdP
Migrating SSO Tenants to Descope
If you're switching from another authentication provider or a homegrown SSO solution, your customers' IT teams typically need to reconfigure their IdP settings to work with the new provider. This process can be time-consuming and disruptive, requiring customer coordination, configuration updates, and testing.
To simplify migration and reduce friction, Descope allows you to migrate existing SSO configurations without requiring customers to change their IdP settings. Follow our SSO migration guide for a seamless transition.