Authorization with SSO Providers
This guide will walk you through the key differences and options available for managing authorization in your applications, when using SSO with an external OIDC or SAML IdP.
All Tenants that are created in Descope can have their own Roles and Permissions defined.
SAML
SAML is a widely used standard for SSO, particularly in enterprise environments. It allows users to authenticate through a central identity provider (IdP) and then access various services without needing to log in again. When using SAML with Descope, you can leverage the following features for authorization:
- Group-based authorization (RBAC and FGA):
- SAML lets you define groups in the IdP; membership is sent in the assertion.
- Map those groups to Descope roles (RBAC) and/or FGA / ReBAC relations. The two maps are independent.
- On login, Descope applies the mapped roles and writes the mapped FGA tuples for the user.

- Role mapping:
- Create roles in Descope that match your IdP groups so enterprise access control stays centralized in the IdP.
Example: Group Mapping Configuration
| Azure AD Group | Descope Role |
|---|---|
| Engineering | Developer Team |
| HR | HR Team |
| Sales | Sales Team |
A user in Engineering gets the Developer Team role after SAML SSO. The same group can also map to FGA relations if you configure them.
How-to (RBAC + FGA, API names, defaults): SSO user and group mapping. Console field detail: SAML → Group mapping.
OIDC (OpenID Connect)
OIDC builds on OAuth 2.0 and does not standardize a groups claim. Descope still supports group → role and group → FGA maps on OIDC tenant SSO settings — you map whatever claim your IdP puts in the token (often a custom groups claim). How to wire that up: OIDC → Group claims.
Other OIDC authorization options:
-
Attribute Mapping:
- OIDC providers can include roles, permissions, or group memberships as claims in the
id_token. - In Descope, map those claims to user fields or custom attributes.
- Your app can then enforce access from those attributes.
- OIDC providers can include roles, permissions, or group memberships as claims in the
-
Custom Claims and JWT Templates:
- If you would like to include any attributes mapped from the IdP, you can include custom attributes as custom claims in the JWT, alongside any mapped roles or permissions.
- This approach is flexible and allows you to tailor the authorization model to fit your application’s needs.
Summary
- SAML and OIDC: Map IdP groups to Descope roles (RBAC) and/or FGA relations — see SSO user and group mapping.
- OIDC extras: Attribute mapping and JWT templates when you need custom claims beyond groups.