/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Single Sign On

/

Resources

/

Overview

Single Sign On Overview

Single Sign On (SSO) allows end users to authenticate to your application using their existing enterprise identity provider credentials. With Stytch, you can implement SSO as part of a fully-featured authentication stack or easily add enterprise-grade SSO capabilities to your existing infrastructure.

API Objects & Endpoints

API ResourcesDescription
OrganizationA top-level tenant that groups members, auth settings, roles, and other identity configurations.
MemberRepresents an authenticated user who is a member of a specific Organization.
SAML ConnectionRepresents a SAML protocol-based connection with an identity provider. A SAML Connection is explicitly tied to an Organization, which can have multiple SAML Connections.
OIDC ConnectionRepresents an OIDC protocol-based connection with an identity provider. An OIDC Connection is explicitly tied to an Organization, which can have multiple OIDC Connections.
Member SessionA managed session that tracks a Member's logged-in state using JWTs or session tokens.

How SSO Works

SSO involves two parties:

  1. Service Provider (SP): the application the end user is trying to access (your application)
  2. Identity Provider (IdP): the application that is verifying the end user's identity

For B2B applications like yours, the Identity Provider in the SSO exchange refers to the workforce IdP that your customers use to centrally manage their employees' access and identity information. When an end user authenticates through an Organization's SSO Connection this verifies both their identity as well as their authorization to access the Organization's instance on your application.

Implementing SSO on your own requires extensive work with various identity protocols and provider-specific implementations, but Stytch abstracts away those details for you, and the flow between you and Stytch will be the same regardless of the protocol used. Stytch handles the backend auth exchange with each identity provider, wrapping complex OIDC and SAML protocol flows into two simple API calls. Stytch supports both SAML 2.0 and OpenID Connect (OIDC), the two main protocols used for Enterprise SSO:

  • SAML 2.0 (Security Assertion Markup Language): A mature standard used by many enterprise identity providers
  • OIDC (OpenID Connect): A more modern protocol built on OAuth 2.0, used by providers like Google and Microsoft

You can read more about Stytch's SSO solution here.

API Objects & Endpoints

How SSO Works