Getting Started with SSO

Before integrating SSO authentication with Stytch, there are a few basic configuration steps:

1Add or update Redirect URLs

In the Redirect URLs section of the Stytch Dashboard make any updates needed to your default Signup and Login Redirect URLs.

By default, http://localhost:3000/authenticate is set as the default for all Redirect URLs in test. If you want to use a different port for local dev, create a new Redirect URL and set as default for Signup and Login.

2Create an Organization

Can be done in the dashboard or through the CreateOrganization API

3Create an SSO Connection for the Organization

Create a new SSO Connection for your Organization in the "Configure SSO Connections" section of the organization view in the dashboard.

You will be prompted to select either SAML or OIDC for your protocol. Stytch abstracts away the details of these protocols, so if you don't have a preference select SAML since it's more commonly used by enterprises.

You can also create the SSO Connection programmatically, by calling the CreateSAMLConnection API or the CreateOIDCConnection API.

4Setup workforce IdP application

This step requires having an admin account for the workforce IdP that you'll use to login through SSO.

Select one of the guides below for step-by-step instructions for Okta, Microsoft Entra or Google Workspace.

If you don't already have an Okta admin account, the easiest way to do this is by creating an Okta Workforce Identity Cloud Developer Edition account. Once you're logged in to the Okta Admin Dashboard click Create App Integration in the Applications tab: View SAML setup instructions button in Okta

Select SAML 2.0 and continue to the the General Settings form, enter the name of your application and (optionally) your application's logo.

In the Configure SAML form:

  • Input the acs_url from you Stytch SSO Connection as the Single sign-on URL
  • Input the audience_uri from your Stytch SSO Connection as the Audience URI (SP Entity ID)
  • For Name ID format select EmailAddress
  • In Attribute Statements create two inputs:
    • Name: firstName; Name format: Basic; Value: user.firstName
    • Name: lastName; Name format: Basic; Value: user.firstName

Your configuration page should look like the following:

Okta SAML Configuration

Save and continue, indicating that this is an internal application on the last screen.

Copy the Metadata URL from the Sign On Settings tab in your newly created Okta application.

Copy SAML Metadata URL in Okta

In the Stytch dashboard click "configure" on your SSO Connection, and in the modal input the Metadata URL you just copied, and the following JSON for the Attribute Mapping.

{
    "email": "NameID",
    "first_name": "firstName",
    "last_name": "lastName"
}

Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.

On the Assignments tab under your application in Okta, assign the application to team members who should have access to it by clicking Assign:

Assign users button in Okta

5Start integrating

Follow one of the below guides to get an end-to-end SSO flow up and running.

If you’re not sure what integration approach you want to take long-term, that’s fine!

If you want to get up and running with as little code as possible, check out the pre-built UI quickstart. If you want to get a sense for how much fine-grained control you can have with Stytch, choose between the backend and headless frontend quickstarts depending on where in the stack you feel most comfortable.