Business to Business (B2B)B2B Single Sign-On (SSO)SSO Configuration

SSO Configuration Flow

Descope allows you to embed a widget-like version of the SSO Setup Suite within your application. The SSO config flow is embedded like other Descope flows and allows your tenants' administrators to configure their own SAML/OIDC external IdPs with Descope. This allows your B2B customers to configure their SSO without directly interacting with you as the application administrator.

Note

The SSO configuration flow is only supported to be embedded within your application similar to Descope widgets.

The SSO Configuration flow is no longer being updated with new IdP guides, and we recommend using the SSO Setup Suite whenever possible.

SSO Configuration Flow Example

The video below will walk you through the experience of configuring an IdP using the Self-Service Configuration feature.

Identity Providers (IdPs) Supported

Descope supports any SAML/OIDC providers. However, we have dedicated guides specific to a subset of IdPs available out of the box with the config panel.

Built-in Setup Guides

  • Descope
  • Okta
  • Auth0
  • CyberArk
  • PingFederate
  • PingOne
  • DUO
  • JumpCloud
  • Salesforce
  • OneLogin
  • Entra ID (Azure AD)
  • Google Workspace
  • miniOrange
  • Classlink
  • LastPass

Custom SAML/OIDC Wizard

If you are using another SAML/OIDC provider that is not mentioned in the list above, we also have a custom setup wizard for any other IdPs that follow the SAML/OIDC standards.

This includes attribute/group mapping, as well as SAML/OIDC testing capabilities as well.

Features

The SSO self-service configuration feature can do the following actions:

  • Configure SAML/OIDC external IdPs
  • Map user and group attributes from the IdP to Descope
  • Configure SSO Domains for tenants
  • SCIM Provisioning
  • Test SAML/OIDC SSO provider login on demand

An example of the Descope SSO configuration flow after completed

Embedding the SSO Config Flow

Similarly to Descope widgets and post auth flows, you can embed the SSO configuration widget within your application. Users must be authenticated with the SSO Admin permission to interact with the SSO config flow.

Below are examples of embedding the flow using our SDKs; these examples also show how to validate that the user has the SSO Admin permission before displaying the flow.

import { Descope, useSession, useUser, getJwtPermissions, getSessionToken } from '@descope/react-sdk';
import { useNavigate } from "react-router-dom";
 
const SsoSetup = () => {
  const { isAuthenticated, isSessionLoading } = useSession()
  const { isUserLoading } = useUser()
  const permissions = getJwtPermissions(getSessionToken(), 'T2TkjYGrVh6ngFjInykigfBzYQIx')
  const isSSOAdmin = permissions.indexOf("SSO Admin") > -1
  const navigate = useNavigate();
 
  if (!isAuthenticated) {
    console.log("Redirect to login page");
    // Handle redirect to login page here
    return null;
  }
 
  if (!isSSOAdmin) {
    console.log("Redirect to another authenticated page");
    navigate("/");
    return null;
  }
 
  return (
    <Fragment>
      { isSSOAdmin &&
        <div className="data-table-wrapper">
          <div style={{ margin: 'auto', maxWidth: '450px', borderRadius: "10px", overflow: "hidden", width: "100%" }}>
            <Descope
              flowId="sso-config"
              onSuccess={(e) => {
                navigate("/");
                console.log('success => ', e)
              }}
              onError={(e) => console.log("Error:", e)}
            />
          </div>
        </div>
      }
      {(isSessionLoading || isUserLoading) && <p>Loading...</p>}
    </Fragment>
  );
};

User SSO Admin Permission

If you embed the self-service SSO configuration widget, the user you want to utilize it must have the SSO Admin permission.

Create or modify a user to associate them with the Tenant Admin role or another role with the SSO Admin Permission. This can either be done within the Descope Console, or with the management SDK or API.

Here is an example of a user associated with the Tenant Admin role, which has the SSO Admin permission within the Descope console:

Descope self service provisioning guide create a user 1

Descope self service provisioning guide create a user 2

Using the SSO Configuration Widget

This section demonstrates how the user will step through the SSO Self-Service configuration portal.

Selecting your Identity Provider (IdP) or Protocol

You can select a provider with detailed instructions in a specific setup guide or configure generic SAML/OIDC directly. Once you choose the IdP, the flow will walk the user through the entire end-to-end application configuration within the IdP and prompt the user for the configurations needed for the Descope tenant.

Selecting the IdP provider within the Descope SSO Config flow

User / Group Attribute Mapping

Next, you must ensure that all the proper user and group attributes are mapped accordingly in Descope. User attributes are mapped based on the claim name configured and sent from the external IdP.

Group mappings from the IdP can be mapped to roles in Descope. If you wish to create more roles under a specific tenant to map to, you'll need to do that from within the console before having the tenant admins run through this configuration widget.

If you wish to learn more about Group Mapping, you can visit our docs page on it here

User and group mapping within the Descope sso config flow

Configuring SSO Domains

The final step is to configure the tenant's SSO company domain. This domain, utilized during the SSO flow action, will automatically redirect users to the tenant based on the domain in their email address.

Descope config flow SSO domain configuration

Testing SSO Connection

Once you've completed the SSO configuration setup process, you'll be taken to a screen that allows you to change various configurations in the future. If you wish to test the SSO connection you configured, click the Test button. This will redirect you to the proper IdP and allow you to sign in. When you return, you'll see the SAML assertion, along with any errors related to the user/group attribute mapping.

If there was some error in the initial setup process (not the user/group mapping), you'll see the error screen when you select Test instead of a redirect.

Below is an example of the response within the test page.

An example of testing SSO configuration within the SSO config flow

SCIM Provisioning

You can also configure SCIM provisioning via the flow while configuring the SSO configuration. Once on the SCIM provisioning screen within the flow, click Generate SCIM Token to create the tenant's applicable access key.

Example of configuring SCIM within the Descope sso config flow 1.

Once the access key is created, copy it and the SCIM provisioning URL from the flow into your SCIM configuration within the IdP.

Example of configuring SCIM within the Descope sso config flow 2.

For more information on SCIM provisioning, visit our SCIM Management Guide.

Was this helpful?

Previous

SSO Setup Suite

Next

Overview

On this page

SSO Configuration FlowSSO Configuration Flow ExampleIdentity Providers (IdPs) SupportedBuilt-in Setup GuidesCustom SAML/OIDC WizardFeaturesEmbedding the SSO Config FlowUser SSO Admin PermissionUsing the SSO Configuration WidgetSelecting your Identity Provider (IdP) or ProtocolUser / Group Attribute MappingConfiguring SSO DomainsTesting SSO ConnectionSCIM Provisioning