> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Standalone SSO

> Implement SSO with Stytch without migrating your existing authentication stack.

Stytch's embedded, API-first architecture makes it easy to quickly add Enterprise Single Sign-On to your application without needing to migrate the rest of your authentication at the same time.

You can use the Stytch Dashboard and/or Admin UI to manage SSO configuration, or use our APIs to embed configuration into your app directly.

## Implementing SSO authentication

<Steps>
  <Step title="Complete config steps">
    If you haven't done so already, complete the steps in the guide [Getting Started with SSO](/multi-tenant-auth/authentication/sso/overview).
  </Step>

  <Step title="Configure callback">
    Stytch will make a callback to the Login or Signup [Redirect URL](https://stytch.com/dashboard/redirect-urls) that you specified in the Stytch Dashboard in order to securely communicate that the user has successful logged in via SSO.

    If your Redirect URL is `http://localhost:3000/authenticate` you would add the following route to your application:

    ```python theme={null}
    from stytch import B2BClient

    stytch_client = B2BClient(
        project_id="PROJECT_ID",
        secret="SECRET",
    )

    @app.route("/authenticate", methods=["GET"])
    def authenticate() -> str:
        try:
            resp = stytch_client.sso.authenticate(
                sso_token=request.args["token"]
            )
        except StytchError as e:
            return e.details

        # user has successfully authenticated
    ```

    Use the response from Stytch to get or create your internal record of the user and organization, and create a session for the user.
  </Step>

  <Step title="Initiate SSO">
    In order to initiate SSO, you will call the [Start SSO Login](/api-reference/b2b/api/sso/shared/start-sso-authenticate) method from your client. This will automatically redirect the user to the workforce IdP to initiate the SSO authentication.

    You can test the full SSO flow out by calling the `/sso/start` method using the `connection_id` for the SSO Connection you created earlier and your Stytch `public_token` from the [Stytch Dashboard](https://stytch.com/dashboard):

    ```text theme={null}
    https://test.stytch.com/v1/public/sso/start?connection_id={connection_id}&public_token={public_token}
    ```
  </Step>
</Steps>

## Identifying the SSO Connection

Depending on your application, there are a few different ways you might identify the correct `connection_id` to use for the `sso.start()` request.

### By Organization

If you already know which Organization the end user is attempting to log into you can fetch the Organization object and prompt the user to select between their active Connections

```python theme={null}
try:
    resp = client.organizations.get(
        organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    )
except StytchError as e:
    return e.details

return resp.organization.sso_active_connections
```

### By Email Address

If you don't know which Organization the user is trying to access, you can use the [Discover SSO Connections](/api-reference/b2b/frontend-sdks/react/methods/sso/discover-connections) method in our headless frontend SDK

```js theme={null}
import { StytchB2BHeadlessClient } from '@stytch/vanilla-js/b2b/headless';

const stytch = new StytchB2BHeadlessClient('PUBLIC_TOKEN');

export const discoverSSOConnections = () => {
  stytch.sso.discoverConnections('sandbox@stytch.com');
};
```

This method attempts to find the SSO Connection that the user wishes to use by prioritizing in the following order:

1. Active SSO Registrations (e.g. the user has previously signed in via this connection)
2. Active Memberships
3. Invites
4. Eligible to join by email domain

At each step, we will check to see if we have SSO Connections that apply and if so will return those. If we have not found SSO Connections, we will continue to the next step. In rare situations where we find SSO Connections for distinct Organizations at a given step we will return an empty array and recommend prompting the user for the Organization they wish to access.

The goal is to optimize directing users to the correct connection without exposing account enumeration attacks or relying on unscalable assumptions like a 1:1 mapping with domain and SSO Connection.

If you would prefer to always show the user all possible SSO Connections, regardless of the account enumeration risk you can do this by calling the [Search Members](/api-reference/b2b/frontend-sdks/react/methods/members/search-members) API.