Getting Started with SSO
Before integrating Single Sign-On (SSO) authentication with Stytch, there are a few basic configuration steps:
Add or update Redirect URLs
In the Redirect URLs section of the Stytch Dashboard make any updates needed to your default Signup and Login Redirect URLs.
By default, http://localhost:3000/authenticate is set as the default for all Redirect URLs in test. If you want to use a different port for local dev, create a new Redirect URL and set as default for Signup and Login.
2Create an Organization
Can be done in the dashboard or through the CreateOrganization API
3Create an SSO Connection for the Organization
Create a new SSO Connection for your Organization in the "Configure SSO Connections" section of the organization view in the dashboard.
You will be prompted to select either SAML or OIDC for your protocol. Stytch abstracts away the details of these protocols, so if you don't have a preference select SAML since it's more commonly used by enterprises.
You can also create the SSO Connection programmatically, by calling the CreateSAMLConnection API or the CreateOIDCConnection API.
4Setup workforce IdP application
This step requires having an admin account for the workforce IdP that you'll use to login through SSO.
Select one of the guides below for step-by-step instructions for Okta, Microsoft Entra or Google Workspace.
If you don't already have an Okta admin account, the easiest way to do this is by creating an Okta Workforce Identity Cloud Developer Edition account. Once you're logged in to the Okta Admin Dashboard click Create App Integration in the Applications tab: 
Select SAML 2.0 and continue to the the General Settings form, enter the name of your application and (optionally) your application's logo.
In the Configure SAML form:
- Input the acs_url from your Stytch SSO Connection as the Single sign-on URL
- Input the audience_uri from your Stytch SSO Connection as the Audience URI (SP Entity ID)
- For Name ID format select EmailAddress
- In Attribute Statements create two inputs:
- Name: firstName; Name format: Basic; Value: user.firstName
- Name: lastName; Name format: Basic; Value: user.lastName
Your configuration page should look like the following:
Save and continue, indicating that this is an internal application on the last screen.
Copy the Metadata URL from the Sign On Settings tab in your newly created Okta application.
In the Stytch dashboard click "configure" on your SSO Connection, and in the modal input the Metadata URL you just copied, and the following JSON for the Attribute Mapping.
{
"email": "NameID",
"first_name": "firstName",
"last_name": "lastName"
}Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.
On the Assignments tab under your application in Okta, assign the application to team members who should have access to it by clicking Assign:
If you don't already have an Okta admin account, the easiest way to do this is by creating an Okta Workforce Identity Cloud Developer Edition account. Once you're logged in to the Okta Admin Dashboard and click Create App Integration in the Applications tab:
Select OIDC - OpenID Connect and Web Application: 
Enter the name of your application and (optionally) your application's logo.
Under Grant type, select Authorization Code: 
In the Sign-in redirect URIs section, add the redirect_url value from the Stytch connection object.
For the purposes of this guide, you do not need to add any Sign-out redirect URIs. In the future, you can (optionally) add a URI corresponding to a page in your application that logs the user out by revoking their Stytch session.
Under Controlled access, select Allow everyone in your organization to access and Enable immediate access with Federation Broker Mode and save. You may change these settings later, if desired. 
In the General tab of your newly created Okta application, locate the Client ID in the Client Credentials section and Secret in the Client Secrets section: 
In the Stytch Dashboard, click "configure" on your SSO Connection and input the Client ID and Secret from above and set the Issuer value to your Okta instance URL. This URL should look like https://dev-111111.okta.com and is viewable in the top right hand corner drop down under your email address. You can alternatively call the Update OIDC Connection endpoint with the client_id, client_secret and issuer fields.
Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.
Log into the Google Workspace Admin Console. Navigate to the Web and mobile apps tab under Apps: 
Select Add custom SAML app from the Add app dropdown: 
Enter the name of your application and (optionally) a description and your application's logo. Click Continue.
Copy the following information under Option 2 and input into your Stytch SSO Connection by clicking "configure":
- IdP Entity ID: the Entity ID from Google
- IdP SSO URL: the SSO URL from Google
- x509 Certificate: the Certificate from Google
- Attribute Mapping: input the below JSON:
{
"email": "NameID",
"first_name": "firstName",
"last_name": "lastName"
}Your Stytch SSO configuration view should look like the following:
Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.
In the Google Admin Console, enter the following information from the Stytch SSO Connection into the Service provider details form and then click Continue:
- ACS URL: acs_url from the Stytch SSO Connection
- Entity ID: audience_uri from the Stytch SSO Connection
- Name ID format: EMAIL
- Name ID: Basic Information > Primary email
On the next screen add the following two Attributes:
- Google Directory attributes: First name; App attributes: firstName
- Google Directory attributes: Last name; App attributes: lastName
Click Finish.
Navigate to the User access page for your new Google Workspace app:
Grant access to the Groups or Organizational Units of your choice. For the purposes of this guide, you can also simply set the Service status to ON for everyone in the All users in this account tab:
Log into Microsoft Entra Admin Center, navigate to Enterprise applications and select to create a new application.
Select create your own application at the top.
Name your application and select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create.
Once your application is created, navigate to the Single Sign-On setup page and select SAML.
Click Edit on Basic SAML Configuration and add the following values from the SSO Connection you created in Stytch:
- Identifier (Entity ID): the Audience URI from your Stytch SSO Connection
- Reply URL (Assertion Consumer Service URL): the ACS URL from your Stytch SSO Connection
Leave the other values blank and click Save.
Next, edit the Attributes & Claims section. Click on the Unique User Identifier (Name ID) under Required Claim, and change the Source attribute to use user.primaryauthoritativeemail
Under Additional claims, you edit and delete the default options so you are left with two claims: user.givenname as firstName and user.surname as lastName. Save.
In the Stytch dashboard (or with the UpdateSAMLConnection API) click "configure" on your SSO Connection and set the Metadata URL as the App Federation Metadata Url from the SAML Certificates section in your Entra app.
For Attribute Mapping on your Stytch SSO Connection set the following JSON:
{
"email": "NameID",
"first_name": "firstName",
"last_name": "lastName"
}Click save on your Stytch SSO Connection, and you should now see the status as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.
The last step is to add users to your application in Entra, which you can do by navigating to Users and groups and selecting "Add user/group".
Log into Microsoft Entra Admin Center, navigate to App registrations and select to create a New registration
Input a name and select Accounts in this organizational directory only for Supported account types and click Register
Navigate to the Authentication section and select "Add a platform" under Platform configurations
Select web and input the Redirect URI from the Stytch SSO Connection you created earlier. Leave the rest blank and click "Configure"
Navigate to Certificates & secrets and select "New client secret". Enter a description of your new secret key, select your desired secret expiration length, and click Add.
In the Stytch dashboard click "configure" on your SSO Connection and input the secret value as the Client Secret in Stytch
For Client ID and Issuer, navigate back to the Entra Overview section and copy over the following values into the Stytch OIDC Connection you are configuring:
- Client ID in Stytch: set to the Application (client) ID from Entra
- Issuer in Stytch: set to URL format https://login.microsoftonline.com/<YOUR_DIRECTORY_ID>/v2.0 where <YOUR_DIRECTORY_ID> is replaced with the Directory (tenant) ID from the Overview section
Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.
5Start integrating
Follow one of the below guides to get an end-to-end SSO flow up and running.
If you’re not sure what integration approach you want to take long-term, that’s fine!
If you want to get up and running with as little code as possible, check out the pre-built UI integration guide. If you want to get a sense for how much fine-grained control you can have with Stytch, choose between the backend and headless frontend integration guides depending on where in the stack you feel most comfortable.