Skip to main content
Stytch’s embedded, API-first architecture makes it easy to quickly add Enterprise Single Sign-On to your application without needing to migrate the rest of your authentication at the same time. You can use the Stytch Dashboard and/or Admin UI to manage SSO configuration, or use our APIs to embed configuration into your app directly.

Implementing SSO authentication

1

Complete config steps

If you haven’t done so already, complete the steps in the guide Getting Started with SSO.
2

Configure callback

Stytch will make a callback to the Login or Signup Redirect URL that you specified in the Stytch Dashboard in order to securely communicate that the user has successful logged in via SSO.If your Redirect URL is http://localhost:3000/authenticate you would add the following route to your application:
from stytch import B2BClient

stytch_client = B2BClient(
    project_id="PROJECT_ID",
    secret="SECRET",
)

@app.route("/authenticate", methods=["GET"])
def authenticate() -> str:
    try:
        resp = stytch_client.sso.authenticate(
            sso_token=request.args["token"]
        )
    except StytchError as e:
        return e.details

    # user has successfully authenticated
Use the response from Stytch to get or create your internal record of the user and organization, and create a session for the user.
3

Initiate SSO

In order to initiate SSO, you will call the Start SSO Login method from your client. This will automatically redirect the user to the workforce IdP to initiate the SSO authentication.You can test the full SSO flow out by calling the /sso/start method using the connection_id for the SSO Connection you created earlier and your Stytch public_token from the Stytch Dashboard:
https://test.stytch.com/v1/public/sso/start?connection_id={connection_id}&public_token={public_token}

Identifying the SSO Connection

Depending on your application, there are a few different ways you might identify the correct connection_id to use for the sso.start() request.

By Organization

If you already know which Organization the end user is attempting to log into you can fetch the Organization object and prompt the user to select between their active Connections 
try:
    resp = client.organizations.get(
        organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    )
except StytchError as e:
    return e.details

return resp.organization.sso_active_connections

By Email Address

If you don’t know which Organization the user is trying to access, you can use the Discover SSO Connections method in our headless frontend SDK 
import { StytchB2BHeadlessClient } from '@stytch/vanilla-js/b2b/headless';

const stytch = new StytchB2BHeadlessClient('PUBLIC_TOKEN');

export const discoverSSOConnections = () => {
  stytch.sso.discoverConnections('sandbox@stytch.com');
};
This method attempts to find the SSO Connection that the user wishes to use by prioritizing in the following order:
  1. Active SSO Registrations (e.g. the user has previously signed in via this connection)
  2. Active Memberships
  3. Invites
  4. Eligible to join by email domain
At each step, we will check to see if we have SSO Connections that apply and if so will return those. If we have not found SSO Connections, we will continue to the next step. In rare situations where we find SSO Connections for distinct Organizations at a given step we will return an empty array and recommend prompting the user for the Organization they wish to access. The goal is to optimize directing users to the correct connection without exposing account enumeration attacks or relying on unscalable assumptions like a 1:1 mapping with domain and SSO Connection. If you would prefer to always show the user all possible SSO Connections, regardless of the account enumeration risk you can do this by calling the Search Members API.