/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Single Sign On

/

Integration Guides

/

Start here

Getting Started with SSO

Before integrating Single Sign-On (SSO) authentication with Stytch, there are a few basic configuration steps:

1
Add or update Redirect URLs

In the Redirect URLs section of the Stytch Dashboard make any updates needed to your default Signup and Login Redirect URLs.

By default, http://localhost:3000/authenticate is set as the default for all Redirect URLs in test. If you want to use a different port for local dev, create a new Redirect URL and set as default for Signup and Login.

2
Create an Organization

Can be done in the dashboard or through the CreateOrganization API

3
Create an SSO Connection for the Organization

Create a new SSO Connection for your Organization in the "Configure SSO Connections" section of the organization view in the dashboard.

You will be prompted to select either SAML or OIDC for your protocol. Stytch abstracts away the details of these protocols, so if you don't have a preference select SAML since it's more commonly used by enterprises.

You can also create the SSO Connection programmatically, by calling the CreateSAMLConnection API or the CreateOIDCConnection API.

4
Setup workforce IdP application

This step requires having an admin account for the workforce IdP that you'll use to login through SSO.

Select one of the guides below for step-by-step instructions for Okta, Microsoft Entra or Google Workspace.

If you don't already have an Okta admin account, the easiest way to do this is by creating an Okta Workforce Identity Cloud Developer Edition account. Once you're logged in to the Okta Admin Dashboard click Create App Integration in the Applications tab: View SAML setup instructions button in Okta

Select SAML 2.0 and continue to the the General Settings form, enter the name of your application and (optionally) your application's logo.

In the Configure SAML form:

  • Input the acs_url from your Stytch SSO Connection as the Single sign-on URL
  • Input the audience_uri from your Stytch SSO Connection as the Audience URI (SP Entity ID)
  • For Name ID format select EmailAddress
  • For Application username select Email
  • In Attribute Statements create three inputs:
    • Name: firstName; Name format: Basic; Value: user.firstName
    • Name: lastName; Name format: Basic; Value: user.lastName
    • Name: id; Name format: Basic; Value: user.id

Your configuration page should look like the following:

Okta SAML Configuration

Save and continue, indicating that this is an internal application on the last screen.

Copy the Metadata URL from the Sign On Settings tab in your newly created Okta application.

Copy SAML Metadata URL in Okta

In the Stytch dashboard click "configure" on your SSO Connection, and in the modal input the Metadata URL you just copied, and the following JSON for the Attribute Mapping.

{
    "email": "NameID",
    "first_name": "firstName",
    "last_name": "lastName",
    "idp_user_id": "id"
}

Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.

On the Assignments tab under your application in Okta, assign the application to team members who should have access to it by clicking Assign:

Assign users button in Okta

If you don't already have an Okta admin account, the easiest way to do this is by creating an Okta Workforce Identity Cloud Developer Edition account. Once you're logged in to the Okta Admin Dashboard and click Create App Integration in the Applications tab: Create App Integration button in Okta

Select OIDC - OpenID Connect and Web Application: App type selection screen in Okta

Enter the name of your application and (optionally) your application's logo.

Under Grant type, select Authorization Code: Okta grant type selection

In the Sign-in redirect URIs section, add the redirect_url value from the Stytch connection object.

For the purposes of this guide, you do not need to add any Sign-out redirect URIs. In the future, you can (optionally) add a URI corresponding to a page in your application that logs the user out by revoking their Stytch session.

Under Controlled access, select Allow everyone in your organization to access and Enable immediate access with Federation Broker Mode and save. You may change these settings later, if desired. Okta access type selection

In the General tab of your newly created Okta application, locate the Client ID in the Client Credentials section and Secret in the Client Secrets section: Client ID and secret in Okta

In the Stytch Dashboard, click "configure" on your SSO Connection and input the Client ID and Secret from above and set the Issuer value to your Okta instance URL. This URL should look like https://dev-111111.okta.com and is viewable in the top right hand corner drop down under your email address. You can alternatively call the Update OIDC Connection endpoint with the client_id, client_secret and issuer fields.

Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.

Log into the Google Workspace Admin Console. Navigate to the Web and mobile apps tab under Apps: Web and mobile apps tab in Google Workspace

Select Add custom SAML app from the Add app dropdown: Add custom SAML app button in Google Workspace

Enter the name of your application and (optionally) a description and your application's logo. Click Continue.

Copy the following information under Option 2 and input into your Stytch SSO Connection by clicking "configure":

Google Workspace SAML IdP config information
  • IdP Entity ID: the Entity ID from Google
  • IdP SSO URL: the SSO URL from Google
  • x509 Certificate: the Certificate from Google
  • Attribute Mapping: input the below JSON:
{
    "email": "NameID",
    "first_name": "firstName",
    "last_name": "lastName"
}

Your Stytch SSO configuration view should look like the following:

Stytch SSO Connection configured for Google

Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.

In the Google Admin Console, enter the following information from the Stytch SSO Connection into the Service provider details form and then click Continue:

  • ACS URL: acs_url from the Stytch SSO Connection
  • Entity ID: audience_uri from the Stytch SSO Connection
  • Name ID format: EMAIL
  • Name ID: Basic Information > Primary email
Google SAML service provider details

On the next screen add the following two Attributes:

  • Google Directory attributes: First name; App attributes: firstName
  • Google Directory attributes: Last name; App attributes: lastName

Click Finish.

Navigate to the User access page for your new Google Workspace app:

User access page in Google Workspace

Grant access to the Groups or Organizational Units of your choice. For the purposes of this guide, you can also simply set the Service status to ON for everyone in the All users in this account tab:

Service status toggle in Google Workspace

Log into Microsoft Entra Admin Center, navigate to Enterprise applications and select to create a new application.

Create new Entra application

Select create your own application at the top.

Create custom Entra application

Name your application and select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create.

Once your application is created, navigate to the Single Sign-On setup page and select SAML.

Setup SSO for Entra application

Click Edit on Basic SAML Configuration and add the following values from the SSO Connection you created in Stytch:

  • Identifier (Entity ID): the Audience URI from your Stytch SSO Connection
  • Reply URL (Assertion Consumer Service URL): the ACS URL from your Stytch SSO Connection
Entra Basic SAML Configuration

Leave the other values blank and click Save.

Next, edit the Attributes & Claims section. Click on the Unique User Identifier (Name ID) under Required Claim, and change the Source attribute to use user.primaryauthoritativeemail

Entra edit NameID claim to use primary authoritative email

Under Additional claims, delete the preconfigured options and create the following three claims:

  • Claim Name: firstName Value: user.givenname
  • Claim Name: lastName Value: user.surname
  • Claim Name: id Value user.objectid Save.

Click

Entra final Attributes & Claims

In the Stytch dashboard (or with the UpdateSAMLConnection API) click "configure" on your SSO Connection and set the Metadata URL as the App Federation Metadata Url from the SAML Certificates section in your Entra app.

Entra SAML Metadata URL

For Attribute Mapping on your Stytch SSO Connection set the following JSON:

{
  "email": "NameID",
  "first_name": "firstName",
  "last_name": "lastName",
  "idp_user_id": "id"
}

Click save on your Stytch SSO Connection, and you should now see the status as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.

The last step is to add users to your application in Entra, which you can do by navigating to Users and groups and selecting "Add user/group".

Entra add users to SAML app

Log into Microsoft Entra Admin Center, navigate to App registrations and select to create a New registration

Entra OIDC create new registration

Input a name and select Accounts in this organizational directory only for Supported account types and click Register

Entra OIDC register your application

Navigate to the Authentication section and select "Add a platform" under Platform configurations

Entra OIDC add platform config in authentication setup

Select web and input the Redirect URI from the Stytch SSO Connection you created earlier. Leave the rest blank and click "Configure"

Entra OIDC configure Redirect URL

Navigate to Certificates & secrets and select "New client secret". Enter a description of your new secret key, select your desired secret expiration length, and click Add.

Entra OIDC create new client secret

In the Stytch dashboard click "configure" on your SSO Connection and input the secret value as the Client Secret in Stytch

Entra OIDC get secret value

For Client ID and Issuer, navigate back to the Entra Overview section and copy over the following values into the Stytch OIDC Connection you are configuring:

  • Client ID in Stytch: set to the Application (client) ID from Entra
  • Issuer in Stytch: set to URL format https://login.microsoftonline.com/<YOUR_DIRECTORY_ID>/v2.0 where <YOUR_DIRECTORY_ID> is replaced with the Directory (tenant) ID from the Overview section
Entra OIDC get ClientID and Issuer

Click save. You should now see the SSO Connection as "Active". In the SSO Connections JIT Provisioning settings section above, select "Anyone" can JIT Provision through SSO Connections and save.

Implementation

Follow one of the below guides to get an end-to-end SSO flow up and running.

  • Backend integration guide: to implement single sign on from the server side
  • Headless frontend integration guide: to implement single sign on from the client, but without Stytch-provided UI components
  • Pre-built UI frontend integration guide: to implement single sign on with Stytch pre-built components

If you’re not sure what integration approach you want to take long-term, that’s fine!

If you want to get up and running with as little code as possible, check out the pre-built UI integration guide. If you want to get a sense for how much fine-grained control you can have with Stytch, choose between the backend and headless frontend integration guides depending on where in the stack you feel most comfortable. Regardless of approach, Stytch’s SSO solution supports all major identity providers and allows you to easily configure one, or many different providers per customer.

Whether you're implementing Stytch's SSO as a standalone solution or as part of our complete authentication platform, we’re ready to help:

  • Join our Developer Community for implementation support
  • Schedule a demo to see Stytch SSO in action

SSO add-ons

Stytch’s other authentication features integrate with your SSO implementation to create a complete identity management solution:

  • Add an admin portal to let your customers handle configuration for members, organizations, and SSO via an admin UI embedded right inside your app.
  • Set up Stytch Connected Apps to allow your app to act as an identity provider (IdP) for interacting with AI agents, activating plugins like Plaid Exchange or ChatGPT, transferring auth state, and more.
  • Use RBAC (Role-Based Access Control) to enforce permissions and manage access to resources in your application.

Getting Started with SSO

1.

Add or update Redirect URLs

2.

Create an Organization

3.

Create an SSO Connection for the Organization

4.

Setup workforce IdP application

Implementation

SSO add-ons