Flows/Conditions

Enforcing SSO

When your application serves multiple tenants, with some enforcing SSO for users and others not, you can automatically direct users to the correct authentication method by including a condition leveraging the ssoEnabled and tenant.SSOEnforced keys within your flow.

In scenarios in which additional authentication methods other than SSO are being used, it is necessary to utilize both the ssoEnabled and tenant.SSOEnforced keys to correctly route users within your flow.

Understanding the Keys

  • ssoEnabled: This key returns if SSO is available for the user by verifying if there is a tenant with an SSO configuration matching the user's domain.

  • tenant.SSOEnforced: This key returns if SSO is mandatory for the user's tenant. When enforced, users must authenticate via SSO, ensuring compliance with organizational security policies.

Constructing the Condition

To correctly enforce SSO policies in a flow, construct a condition like the following:

  1. First, check if tenant.SSOEnforced is True. If SSO is enforced, you can automatically route users to the SSO action, bypassing other authentication methods.

  2. Else, if SSO is not enforced, check if ssoEnabled is True. If SSO is enabled for the user, route them to the SSO action.

  3. Else, in the case where SSO is neither enforced nor enabled, route the user to a non-SSO authentication action.

sso routing condition

sso routing flow

Was this helpful?

Restrictions

Learn how to manage user access with restrictions in Descope

Dynamic Values

Learn how to utilize Descope's dynamic keys, values, and placeholders to enhance your Descope flows and messaging templates.

On this page