/
Contact usSee pricingStart building

    About B2B SaaS Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs
      Migrating from Stytch Consumer to B2B
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections
        Standalone SSO

    • Integration Guides

        • Start here
        Provider setup
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected Apps
      Overview
      Getting started with the SDK
      Getting started with the API
      Client types
      OAuth scopes

    • Integration Guides

        • Integrate with an Existing Auth System
        MCP Authorization Overview
        Integrate with a remote MCP server
        Integrate with AI agents

    • Resources

        • Consent Management
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims
        Custom Claim Templates

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords

    • Resources

        • Overview
        Strength policy

    • Integration Guides

        • Pre-built UI frontend integration
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    Trusted Auth Tokens
      Overview
      Getting Started with External IDPs
      Getting Started with Custom Auth Factors
    Device History
      New Device Notifications

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B SaaS Authentication

/

Guides

/

Authentication

/

Single Sign On

/

Integration Guides

/

Start here

Getting Started with SSO

Before integrating Single Sign-On (SSO) authentication with Stytch, there are a few basic configuration steps, which you can complete in the Dashboard or via Stytch APIs:

1
Add or update Redirect URLs

On the Redirect URLs page of the Stytch Dashboard, make any updates needed to your default Signup and Login Redirect URLs.

By default, http://localhost:3000/authenticate is set as the default for all Redirect URLs in test environments. If you want to use a different port for local dev, create a new Redirect URL and set as default for Signup and Login.

The Workspace Management APIs allow you to create or otherwise manage Redirect URLs as well.

2
Create an Organization

This can be done in the Dashboard or through the CreateOrganization API. Take note of the Organization ID -- you'll need it in order to configure connections in a minute.

3
Create an SSO Connection for the Organization

Create a new SSO Connection for your Organization in the "Configure SSO Connections" section of the organization view in the Dashboard.

You will be prompted to select either SAML or OIDC for your protocol. Stytch abstracts away the details of these protocols, so if you don't have a preference select SAML since it's more commonly used by enterprises.

You can also create the SSO Connection programmatically, by calling the CreateSAMLConnection API or the CreateOIDCConnection API. In both cases, you'll need to provide the identity provider and (optional but recommended) a display name for the Connection.

4
Setup workforce IdP application

You'll need admin access to a workforce IdP for this step. In the B2B context, this step will generally be performed by your end customers -- feel free to send this guide to them.

Go to the Provider Setup page for instructions that apply to most IdPs, along with along with some step-by-step guides for Okta, Google Workspace, and Microsoft Entra.

At the end of this step, you should now see the SSO Connection as "Active" within Stytch.

5
Test your SSO Connection

To test your new connection, navigate to the SSO Start endpoint with the relevant query parameters:

https://{base_url}/v1/public/sso/start?connection_id={connection_id}&public_token={public_token}

This should take you through your IdP and redirect to your default redirect URL (http://localhost:3000/authenticate by default). If you don't have a redirect handler running, you can grab the token from the URL's token parameter.

Once you have the token, call SSO Authenticate with the token and a session duration (in minutes) to start a member session.

You can use the organization's organization_id (which can be the Stytch organization ID or an external organization ID) in lieu of connection_id when calling the SSO start endpoint.

Implementation

Follow one of the below guides to get an end-to-end SSO flow up and running.

  • Backend integration guide: to implement single sign on from the server side
  • Headless frontend integration guide: to implement single sign on from the client, but without Stytch-provided UI components
  • Pre-built UI frontend integration guide: to implement single sign on with Stytch pre-built components

If you’re not sure what integration approach you want to take long-term, that’s fine!

If you want to get up and running with as little code as possible, check out the pre-built UI integration guide. If you want to get a sense for how much fine-grained control you can have with Stytch, choose between the backend and headless frontend integration guides depending on where in the stack you feel most comfortable. Regardless of approach, Stytch’s SSO solution supports all major identity providers and allows you to easily configure one, or many different providers per customer.

Whether you're implementing Stytch's SSO as a standalone solution or as part of our complete authentication platform, we’re ready to help:

  • Join our Developer Community for implementation support
  • Schedule a demo to see Stytch SSO in action

SSO add-ons

Stytch’s other authentication features integrate with your SSO implementation to create a complete identity management solution:

  • Add an admin portal to let your customers handle configuration for members, organizations, and SSO via an admin UI embedded right inside your app.
  • Set up Stytch Connected Apps to allow your app to act as an identity provider (IdP) for interacting with AI agents, activating plugins like Plaid Exchange or ChatGPT, transferring auth state, and more.
  • Use RBAC (Role-Based Access Control) to enforce permissions and manage access to resources in your application.

Getting Started with SSO

1.

Add or update Redirect URLs

2.

Create an Organization

3.

Create an SSO Connection for the Organization

4.

Setup workforce IdP application

5.

Test your SSO Connection

Implementation

SSO add-ons