> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# SSO Authenticate
> Authenticate using Single Sign-On with the Stytch Next.js SDK
export const getBySlug_0 = undefined;
export const mfa = "Multi-Factor Authentication: a security process requiring users to provide two or more verification factors prior to accessing their account.";
export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";
export const ist = "A session token designed to preserve state when the user has completed an initial authentication step, but has not fully authenticated into an Organization.";
export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";
export const isReactNative_0 = undefined
`sso.authenticate` wraps the [SSO Authenticate](/api-reference/b2b/api/sso/shared/complete-sso-authenticate) API endpoint which validates the SSO token passed in.
If there is a current Member Session, the SDK will call the endpoint with the session token. This will add the new factor to the existing Member Session.
If there is an Intermediate Session token, the SDK will call the endpoint with it. If the resulting set of factors satisfies the Organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a Member Session. If not, the same intermediate session token will be returned.
If this method succeeds and the Member is not required to complete MFA, the Member will be logged in, granted an active session, and {isReactNative_0 ? "the session data will be persisted on the device" : the session cookies will be minted and stored in the browser}.
If this method succeeds and MFA is required, the intermediate session token will be {isReactNative_0 ? "persisted on the device" : "stored in the browser as a cookie"}.
### Parameters
The token to authenticate.
Set the session lifetime to be this many minutes from now. This will return both an opaque `session_token` and `session_jwt` for this session, which will automatically be stored in the browser cookies. The `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will be automatically refreshed by the SDK in the background over time.
This value must be a minimum of 5 and may not exceed the maximum session duration minutes value set in the [Frontend SDK page](https://stytch.com/dashboard/sdk-configuration) of the Stytch Dashboard.
A successful authentication will continue to extend the session this many minutes.
If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
The parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. "en".
Supported languages are English ("en"), Spanish ("es"), and Brazilian Portuguese ("pt-br"); if no value is provided, the copy defaults to English.
### Response
The unique ID of the Member.
The new Stytch Session.
Globally unique UUID that identifies the Session.
Globally unique UUID that identifies a specific Member.
An array of authentication factors that comprise a Session.
The type of authentication factor. The possible values are: `email_otp`, `impersonated`, `imported`, `magic_link`, `oauth`, `otp`, `password`, `recovery_codes`, `sso`, `trusted_auth_token`, or `totp`.
The method that was used to deliver the authentication factor. The possible values depend on the type:
* `email_otp`: Only `email`.
* `impersonated`: Only `impersonation`.
* `imported`: Only `imported_auth0`.
* `magic_link`: Only `email`.
* `oauth`: `oauth_google`, `oauth_microsoft`, `oauth_hubspot`, `oauth_slack`, or `oauth_github`.
You may see an 'exchange' delivery method when a non-email-verifying OAuth factor originally authenticated in one organization is exchanged for a factor in another organization. This can happen during authentication flows such as [session exchange](/api-reference/b2b/api/sessions/exchange-session). The non-email-verifying OAuth providers are Hubspot, Slack, and Github. Google is also considered non-email-verifying when the HD claim is empty. The possible exchange values are `oauth_exchange_google`, `oauth_exchange_hubspot`, `oauth_exchange_slack`, or `oauth_exchange_github`. The final possible value is `oauth_access_token_exchange`, if this factor came from an [access token exchange flow](/api-reference/b2b/api/sessions/exchange-access-token).
* `otp`: Only `sms`.
* `password`: Only `knowledge`.
* `recovery_codes`: Only `recovery_code`.
* `sso`: `sso_saml` or `sso_oidc`.
* `trusted_auth_token`: Only `trusted_token_exchange`.
* `totp`: Only `authenticator_app`.
The timestamp when the factor was initially authenticated.
The timestamp when the factor was last authenticated.
The timestamp when the factor was last updated.
Either `PRIMARY` or `SECONDARY`. Secondary factor types include `otp`, `totp`, and `recovery_codes`. All other factors are primary.
Information about the email factor, if one is present.
The email address of the Member.
The globally unique UUID of the Member's email.
Information about the phone number factor, if one is present.
The phone number.
The globally unique UUID of the phone number.
Information about the Google OAuth factor, if one is present.
The unique ID of the OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within the OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Microsoft OAuth factor, if one is present.
The unique ID of the OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within the OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Hubspot OAuth factor, if one is present.
The unique ID of the OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within the OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Github OAuth factor, if one is present.
The unique ID of the OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within the OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Slack OAuth factor, if one is present.
The unique ID of the OAuth registration.
The globally unique UUID of the Member's email.
The unique identifier for the User within the OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Information about the Google OAuth Exchange factor, if one is present.
The globally unique UUID of the email address.
Information about the Hubspot OAuth Exchange factor, if one is present.
The globally unique UUID of the email address.
Information about the Github OAuth Exchange factor, if one is present.
The globally unique UUID of the email address.
Information about the Slack OAuth Exchange factor, if one is present.
The globally unique UUID of the email address.
Information about the SAML SSO factor, if one is present.
The unique ID of an SSO Registration.
Globally unique UUID that identifies a specific SAML Connection.
The ID of the member given by the identity provider.
Information about the OIDC SSO factor, if one is present.
The unique ID of an SSO Registration.
Globally unique UUID that identifies a specific OIDC Connection.
The ID of the member given by the identity provider.
Information about the TOTP-backed Authenticator App factor, if one is present.
Globally unique UUID that identifies the TOTP instance.
Information about the impersonated factor, if one is present.
For impersonated sessions initiated via the Stytch Dashboard, the impersonator's Stytch Dashboard `member_id`.
The email address of the impersonator.
Information about the trusted auth token factor, if one is present.
The ID of the trusted auth token.
Information about the access token exchange factor, if one is present.
The ID of the Connected App client.
The globally unique UUID that identifies the Organization associated with the Session.
The unique URL slug of the Organization associated with the Session.
A list of the roles associated with the Session.
Members may inherit certain roles depending on the factors in their Session.
For example, some roles may only be active if the member logged in from a specific SAML IDP.
The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
The custom claims map for a Session. Claims can be added to a Session during a Sessions authenticate call.
The Member object of the signed-in Member.
Globally unique UUID that identifies a specific Organization.
Globally unique UUID that identifies a specific Member.
The ID of the Member given by the identity provider.
The email address of the Member.
Whether or not the Member's email address is verified.
The status of the Member. The possible values are: `pending`, `invited`, `active`, or `deleted`.
The name of the Member.
An array of registered SAML Connection or OIDC Connection objects the Member has authenticated with.
Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
The unique ID of an SSO Registration.
The ID of the Member given by the identity provider.
An object for storing SSO attributes brought over from the identity provider.
Sets whether the Member is enrolled in MFA.
The id of the SCIM Connection.
The unique ID of a SCIM Registration.
The ID of the Member given by the identity provider.
An object for storing SCIM attributes brought over from the identity provider.
Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings.
A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](/api-reference/b2b/api/organizations/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
Globally unique UUID that identifies a Member's password.
A list of OAuth registrations for this Member.
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
If available, the `profile_picture_url` is a URL of the User's profile picture set in the OAuth identity provider that the User has authenticated with, e.g. Google profile picture.
If available, the locale is the Member's locale set in the OAuth identity provider that the user has authenticated with.
The unique ID of an OAuth registration.
Sets whether the Member is enrolled in MFA.
If true, the Member must complete an MFA step whenever they wish to log in to their Organization.
If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
The Member's phone number. A Member may only have one phone number.
The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
Whether or not the Member's phone number is verified.
A list of retired email addresses for this Member. A previously active email address can be marked as retired in one of two ways:
* It's replaced with a new primary email address during an explicit Member update.
* A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member's primary email address and the old primary email address is retired. A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the [Unlink Retired Email endpoint](/api-reference/b2b/api/members/unlink-retired-email).
The globally unique UUID of a Member's email.
The email address of the Member.
An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the [Metadata resource](/api-reference/b2b/api/resources/object-update-behavior) for complete field behavior details.
Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
Reserved `role_ids` that are predefined by Stytch include:
* `stytch_member`
* `stytch_admin`
Check out the [guide on Stytch default Roles](/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy#default-roles-and-resources) for a more detailed explanation.
A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain.
The type of role assignment. The possible values are:
* `direct_assignment` – an explicitly assigned Role. Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint.
* `email_assignment` – an implicit Role granted by the Member's email domain, regardless of their login method. Email implicit role assignments can be updated by passing in the `rbac_email_implicit_role_assignments` argument to the Update Organization endpoint.
* `sso_connection` – an implicit Role granted by the Member's SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection. SAML connection implicit role assignments can be updated by passing in the `saml_connection_implicit_role_assignments` argument to the Update SAML connection endpoint.
* `sso_connection_group` – an implicit Role granted by the Member's SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.
* `scim_connection_group` – an implicit Role granted by the Member's SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. SCIM group implicit role assignments can be updated by passing in the `scim_group_implicit_role_assignments` argument to the Update SCIM connection endpoint.
An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows:
* `direct_assignment` – no additional details.
* `email_assignment` – will contain the email domain that granted the assignment.
* `sso_connection` – will contain the `connection_id` of the SAML connection that granted the assignment.
* `sso_connection_group` – will contain the `connection_id` of the SAML connection and the name of the group that granted the assignment.
* `scim_connection_group` – will contain the `connection_id` of the SAML connection and the `group_id` that granted the assignment.
Whether or not the Member has the `stytch_admin` Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy) for more details on this Role.
The date and time the Member was created.
The date and time the Member was last updated.
The Organization object of the Organization the Member has signed into.
Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the `organization_slug` or `organization_external_id` here as a convenience.
The name of the Organization. Must be between 1 and 128 characters in length.
The image URL of the Organization logo.
The unique URL slug of the Organization.
The slug only accepts alphanumeric characters and the following reserved characters: `- . _ ~`. Must be between 2 and 128 characters in length.
Wherever an `organization_id` is expected in a path or request parameter, you may also use the `organization_slug` as a convenience.
{!getBySlug_0 && (
A unique identifier for the Organization.
)}
{!getBySlug_0 && (
The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:
ALL_ALLOWED – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's sso_active_connectionsRESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authenticationNOT_ALLOWED – disable JIT provisioning via SSO
)}
{!getBySlug_0 && (
An array of connection_ids that reference SAML Connection objects. Only these
connections will be allowed to JIT provision Members via SSO when sso_jit_provisioning is set to RESTRICTED.
)}
An array of active [SAML Connection references](/api-reference/b2b/api/sso/saml-connection-object) or [OIDC Connection references](/api-reference/b2b/api/sso/oidc-connection-object).
Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
A human-readable display name for the connection.
{!getBySlug_0 && (
An active SCIM Connection references.
The ID of the SCIM connection.
A human-readable display name for the connection.
)}
An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`
Common domains such as gmail.com are not allowed. See the [full list of disallowed common email domains](/multi-tenant-auth/enterprise-ready/org-management/jit-provision-members#by-email-domain).
The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:
* `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth
* `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth
{!getBySlug_0 && (
The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are:
ALL_ALLOWED – any new Member can be invited to join via emailRESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via emailNOT_ALLOWED – disable email invites
)}
The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:
* `ALL_ALLOWED` – the default setting which allows all authentication methods to be used
* `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to true
An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
{!getBySlug_0 && (
The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are:
ALL_ALLOWED – the default setting which allows all authentication methods to be usedRESTRICTED – only methods that comply with allowed_mfa_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true
)}
{!getBySlug_0 && (
An array of allowed MFA authentication methods. This list is enforced when mfa_methods is set to RESTRICTED. The
list's accepted values are: sms_otp and totp.
)}
{!getBySlug_0 && (
An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
)}
The default connection used for SSO when there are multiple active connections.
{!getBySlug_0 && (
Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the RBAC guide for more information about role assignment.
Email domain that grants the specified Role.
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
Reserved role_ids that are predefined by Stytch include:
stytch_memberstytch_admin
Check out the guide on Stytch default Roles for a more detailed explanation.
)}
The authentication setting that controls how a new Member can JIT provision into an Organization by tenant. The accepted values are:
* `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant
* `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant
A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
{!getBySlug_0 && (
The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
ALL_ALLOWED – the default setting, any first party Connected App in the Project is permitted for use by MembersRESTRICTED – only first party Connected Apps with IDs in allowed_first_party_connected_apps can be used by MembersNOT_ALLOWED – no first party Connected Apps are permitted
)}
{!getBySlug_0 && (
An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's first_party_connected_apps_allowed_type is RESTRICTED.
)}
{!getBySlug_0 && (
The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
ALL_ALLOWED – the default setting, any third party Connected App in the Project is permitted for use by MembersRESTRICTED – only third party Connected Apps with IDs in allowed_third_party_connected_apps can be used by MembersNOT_ALLOWED – no third party Connected Apps are permitted
)}
{!getBySlug_0 && (
An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's third_party_connected_apps_allowed_type is RESTRICTED.
)}
{!getBySlug_0 && (
The timestamp of the Organization's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
)}
{!getBySlug_0 && (
The timestamp of when the Organization was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
)}
The JWT for the new Stytch Session.
If the project is configured to use HttpOnly cookies, this field will always be an empty string.
The secret token for the new Stytch Session.
If the project is configured to use HttpOnly cookies, this field will always be an empty string.
If [Protected Auth](/fraud-risk/device-fingerprinting/protected-auth) is enabled and returned fingerprinting results, this field will contain information about the member's device attributes.
The IP address of the device.
The details of the IP address.
The city of the IP address.
The region of the IP address.
The country of the IP address.
The details of the country.
Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.
The `intermediate_session_token` that should be passed into a secondary authentication endpoint, such as OTP authenticate, in order to receive a member session. The `intermediate_session_token` can also be used with discovery endpoints to join a different organization or create a new organization.
If the member is fully authenticated, this field will be an empty string.
If the project is configured to use HttpOnly cookies, this field will always be an empty string.
The types of primary authentication required.
The allowed authentication methods. The possible values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
The types of secondary authentication required to join the Organization.
Whether the Member has SMS OTP enrolled.
Equal to `sms_otp` if an OTP code was sent to the member's phone number, else `null`.
If [Protected Auth](/fraud-risk/device-fingerprinting/protected-auth) is enabled and returned fingerprinting results, this field will contain information about the member's device attributes.
The IP address of the device.
The details of the IP address.
The city of the IP address.
The region of the IP address.
The country of the IP address.
The details of the country.
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
may ask for this value to help identify a specific API call when helping you debug an issue.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
```jsx theme={null}
import { useEffect } from 'react';
import { useSearchParams } from 'next/navigation';
import { useStytchB2BClient } from '@stytch/nextjs/b2b';
export const SSOAuthenticate = () => {
const stytch = useStytchB2BClient();
const searchParams = useSearchParams();
useEffect(() => {
const token = searchParams.get('token');
if (token) {
stytch.sso.authenticate({
sso_token: token,
session_duration_minutes: 60,
});
}
}, [stytch, searchParams]);
return Authenticating...
;
};
```