Getting Started with SSO
Before integrating Single Sign-On (SSO) authentication with Stytch, there are a few basic configuration steps, which you can complete in the Dashboard or via Stytch APIs:
1Add or update Redirect URLs
On the Redirect URLs page of the Stytch Dashboard, make any updates needed to your default Signup and Login Redirect URLs.
By default, http://localhost:3000/authenticate is set as the default for all Redirect URLs in test environments. If you want to use a different port for local dev, create a new Redirect URL and set as default for Signup and Login.
The Workspace Management APIs allow you to create or otherwise manage Redirect URLs as well.
2Create an Organization
This can be done in the Dashboard or through the CreateOrganization API. Take note of the Organization ID -- you'll need it in order to configure connections in a minute.
3Create an SSO Connection for the Organization
Create a new SSO Connection for your Organization in the "Configure SSO Connections" section of the organization view in the Dashboard.
You will be prompted to select either SAML or OIDC for your protocol. Stytch abstracts away the details of these protocols, so if you don't have a preference select SAML since it's more commonly used by enterprises.
You can also create the SSO Connection programmatically, by calling the CreateSAMLConnection API or the CreateOIDCConnection API. In both cases, you'll need to provide the identity provider and (optional but recommended) a display name for the Connection.
4Setup workforce IdP application
You'll need admin access to a workforce IdP for this step. In the B2B context, this step will generally be performed by your end customers -- feel free to send this guide to them.
Go to the Provider Setup page for instructions that apply to most IdPs, along with along with some step-by-step guides for Okta, Google Workspace, and Microsoft Entra.
At the end of this step, you should now see the SSO Connection as "Active" within Stytch.
5Test your SSO Connection
To test your new connection, navigate to the SSO Start endpoint with the relevant query parameters:
https://{base_url}/v1/public/sso/start?connection_id={connection_id}&public_token={public_token}
This should take you through your IdP and redirect to your default redirect URL (http://localhost:3000/authenticate by default). If you don't have a redirect handler running, you can grab the token from the URL's token parameter.
Once you have the token, call SSO Authenticate with the token and a session duration (in minutes) to start a member session.
Implementation
Follow one of the below guides to get an end-to-end SSO flow up and running.
- Backend integration guide: to implement single sign on from the server side
- Headless frontend integration guide: to implement single sign on from the client, but without Stytch-provided UI components
- Pre-built UI frontend integration guide: to implement single sign on with Stytch pre-built components
If you’re not sure what integration approach you want to take long-term, that’s fine!
If you want to get up and running with as little code as possible, check out the pre-built UI integration guide. If you want to get a sense for how much fine-grained control you can have with Stytch, choose between the backend and headless frontend integration guides depending on where in the stack you feel most comfortable. Regardless of approach, Stytch’s SSO solution supports all major identity providers and allows you to easily configure one, or many different providers per customer.
Whether you're implementing Stytch's SSO as a standalone solution or as part of our complete authentication platform, we’re ready to help:
- Join our Developer Community for implementation support
- Schedule a demo to see Stytch SSO in action
SSO add-ons
Stytch’s other authentication features integrate with your SSO implementation to create a complete identity management solution:
- Add an admin portal to let your customers handle configuration for members, organizations, and SSO via an admin UI embedded right inside your app.
- Set up Stytch Connected Apps to allow your app to act as an identity provider (IdP) for interacting with AI agents, activating plugins like Plaid Exchange or ChatGPT, transferring auth state, and more.
- Use RBAC (Role-Based Access Control) to enforce permissions and manage access to resources in your application.