Single Sign On Overview

Single Sign On (SSO) is the process of allowing end users to securely authenticate to multiple applications based on their authenticated identity on another application.

API Objects & Endpoints

API Resources



A top-level tenant that groups members, auth settings, roles, and other identity configurations.


Represents an authenticated user who is a member of a specific Organization.

SAML Connection

Represents a SAML protocol-based connection with an identity provider. A SAML Connection is explicitly tied to an Organization, which can have multiple SAML Connections.

OIDC Connection

Represents an OIDC protocol-based connection with an identity provider. An OIDC Connection is explicitly tied to an Organization, which can have multiple OIDC Connections.

Member Session

A managed session that tracks a Member's logged-in state using JWTs or session tokens.

How It Works

SSO involves two parties:

  1. Service Provider (SP): the application the end user is trying to access (your application)
  2. Identity Provider (IdP): the application that is verifying the end user's identity

For B2B applications like yours, the Identity Provider in the SSO exchange refers to the workforce IdP that your customers use to centrally manage their employees access and identity information. When an end user authenticates through an Organization's SSO Connection this verifies both their identity as well as their authorization to access the Organization's instance on your application.

The standards for securely exchanging authentication and authorization data between the identity provider and the service providers are established by the protocol being used, typically SAML or OIDC -- but Stytch abstracts away those details for you, and the flow between you and Stytch will be the same regardless of the protocol used.

You can read more about how SSO works and why enterprise companies request SSO support here.