SSO (Single Sign-On)
Descope supports both SAML 2.0 and OAuth 2.0 specifications for Single Sign-On (SSO), allowing you to integrate with any identity provider (IdP) that implements either standard. To get started with SSO you must:
- Configure Project-Level SSO Settings in the Authentication Methods --> SSO tab of the Descope console
- Configure SSO for each tenant individually
Note
SSO is only implemented for tenants and not at a project level. You must create and configure SSO for at least one tenant in the project to successfully implement SSO in your flow.
SSO Acronyms
Here are the key terms you'll encounter when setting up SSO:
- Identity Provider (IdP): Your SSO provider (like Okta, Azure AD, or Google Workspace) that handles user authentication
- Service Provider (SP): Your application that users want to access. With Descope, you don't need to implement the complex SP side of SSO - we handle that for you.
You are the SP providing your customers SSO access to your website, application, or service. Descope will act on your behalf as the SP, so you don't have to wade through the complexities of implementing SSO.
Tenant Identification Methods
Since SSO configuration is managed at the tenant level, you need to define how users are linked to their specific tenant before they can authenticate with the appropriate IdP.
You have multiple options for identifying which tenant a user belongs to:
Note
It's also worth noting that a tenant can have multiple SSO providers associated with it, allowing login with different SSO providers for different user groups within the same tenant. Read more about this in the multiple SSO providers use case guide.
Option 1: SSO Domains
You can configure SSO domains for a tenant within the SSO Setup Suite, or manually under Authentication Methods --> SSO when you select a tenant from the Tenant tab of the Descope Console.
With either method, you can create an allowed list of email domains associated with this tenant. When configured, end users from the listed email domains can sign in with this tenant's associated SAML/OIDC identity provider (IdP).
| Tenant Name | SSO Domain | User's Accessibility |
|---|---|---|
| SSO Tenant 1 | company-a.com | All end users signing in from the @company-a.com email domain will be authenticated using SSO Tenant 1's SSO Provider |
| SSO Tenant 2 | company-x.com, company-y.com | All end users signing in from the @company-x.com or @company-y.com email domains will be authenticated using SSO Tenant 2's SSO Provider |
Option 2: Tenant Slug or ID
For more information on flow input parameters, visit our Auth Helpers docs page.
If you have users from multiple domains in a single tenant, or if you cannot use domain association with your SSO provider, you can use the tenant slug or ID instead. This can be passed through the flow component, allowing you to route users to the correct tenant regardless of their email domain.
When using tenant slugs or IDs, you don't need to configure SSO domains. This is particularly useful when:
- Multiple domains exist within a single tenant
- Your SSO provider doesn't support domain-based routing
- You want more flexibility in how users are assigned to tenants
Configuring SSO for a Tenant
SSO is configured per tenant, and can be configured with either a SAML or OIDC IdP.
We highly recommend having your customer/tenant set up SSO for their own organization using our SSO Setup Suite. The SSO Setup Suite walks your customers through the entire SSO Configuration process, with templates for all common IdPs, and allows them to test the connection, minimizing any back and forth or setup errors.
Alternatively, if you or your customer is unable to use the SSO Setup Suite, you can manually configure SSO for their tenant by following either the SSO with SAML or SSO with OIDC guides, depending on the type of IdP they would like to use.
If you're switching to Descope from another authentication provider or a homegrown SSO solution, Descope allows you to migrate existing SSO configurations without requiring customers to reconfigure their IdP settings. Follow our SSO migration guide to enable a seamless transition.