Standalone SSO
Stytch's embedded, API-first architecture makes it easy to quickly add Enterprise Single Sign-On to your application without needing to migrate the rest of your authentication at the same time.
Implementing SSO Authentication
1Complete config steps
If you haven't done so already, complete the steps in the guide Getting Started with SSO
2Configure callback
Stytch will make a callback to the Login or Signup Redirect URL that you specified in the Stytch dashboard in order to securely communicate that the user has successful logged in via SSO.
If your Redirect URL was http://localhost:3000/authenticate you would add the following route to your application:
from stytch import B2BClient
stytch_client = B2BClient(
project_id="PROJECT_ID",
secret="SECRET",
)
@app.route("/authenticate", methods=["GET"])
def authenticate() -> str:
try:
resp = stytch_client.sso.authenticate(
sso_token=request.args["token"]
)
except StytchError as e:
return e.details
# user has successfully authenticatedUse the response from Stytch to get or create your internal record of the user and organization, and create a session for the user.
3Initiate SSO
In order to initiate SSO, you will call the Start SSO Login method from your client. This will automatically redirect the user to the workforce IdP to initiate the SSO authentication.
You can test the full SSO flow out by calling the /sso/start method using the connection_id for the SSO Connection you created earlier and your Stytch public_token from the Stytch dashboard:
https://test.stytch.com/v1/public/sso/start?connection_id={connection_id}&public_token={public_token}Identifying the SSO Connection
Depending on your application, there are a few different ways you might identify the correct connection_id to use for the sso.start() request.
By Organization
If you already know which Organization the end user is attempting to log into you can fetch the Organization object and prompt the user to select between their active Connections
try:
resp = client.organizations.get(
organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
)
except StytchError as e:
return e.details
return resp.organization.sso_active_connectionsBy Email Address
If you don't know which Organization the user is trying to access, you can use the Discover SSO Connections method in our headless frontend SDK
import { StytchB2BHeadlessClient } from '@stytch/vanilla-js/b2b/headless';
const stytch = new StytchB2BHeadlessClient('PUBLIC_TOKEN');
export const discoverSSOConnections = () => {
stytch.sso.discoverConnections('sandbox@stytch.com');
};This method attempts to find the SSO Connection that the user wishes to use by prioritizing in the following order:
- Active SSO Registrations (e.g. the user has previously signed in via this connection)
- Active Memberships
- Invites
- Eligible to join by email domain
At each step, we will check to see if we have SSO Connections that apply and if so will return those. If we have not found SSO Connections, we will continue to the next step. In rare situations where we find SSO Connections for distinct Organizations at a given step we will return an empty array and recommend prompting the user for the Organization they wish to access.
The goal is to optimize directing users to the correct connection without exposing account enumeration attacks or relying on unscalable assumptions like a 1:1 mapping with domain and SSO Connection.
If you would prefer to always show the user all possible SSO Connections, regardless of the account enumeration risk you can do this by calling the Search Members API.