Enterprise Single Sign-On

Enable SSO for your app.
Any identity provider. One integration.

SAML and OIDC-compliant authentication, fully configurable per customer—without the engineering hassle.

Stytch Single Sign-On
Stytch Single Sign-On

Enterprise SSO in one sprint

Integrate across any SAML or OIDC based identity providers like Okta, Google, Microsoft

Compliance you can trust: SOC 2, ISO 27001, HIPAA, GDPR, and more

Integrates with your existing app with intuitive API calls

SSO Workflow

SSO simplified

Stytch handles the backend auth exchange with each identity provider, wrapping complex OIDC and SAML protocol flows into two simple API calls.

Start the SSO process:

curl --url https://test.stytch.com/v1/public/sso/start?connection_id=saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9&public_token=PUBLIC_TOKEN

Complete SSO Authentication:

curl --request POST \
  --url https://test.stytch.com/v1/b2b/sso/authenticate \
  -u 'PROJECT_ID:SECRET' \
  -H 'Content-Type: application/json' \
  -d '{
    "sso_token": "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4="
  }'

Easily customize SSO configurations based on individual customer requirements

Easily configure one, or many different providers per customer

Modular tooling to add in features like SCIM and Magic Links as you need them

Start with SSO, add enterprise features and AI agent security with ease down the line

SSO Multi-Org

Build with flexibility

Integrate SSO via backend APIs, headless frontend SDKs and pre-built frontend UI

Easily embed ready-to-use login and signup components into your app. Keep users on your own domain, and match your own CSS to align to your brand.

Learn about Stytch pre-built UI

Frontend SDKs

Frontend SDKs

With self-serve SSO settings and onboarding

Let your customers handle configuration for members, organizations, and SSO via an admin UI embedded right inside your app

SSO Workflow

It’s remarkable how much work well-thought-out abstractions can do for you. Since Stytch handles the initial request to determine available login methods, requiring SAML or Google login is as simple as flipping a bit via Stytch’s API.

Orb

It’s remarkable how much work well-thought-out abstractions can do for you. Since Stytch handles the initial request to determine available login methods, requiring SAML or Google login is as simple as flipping a bit via Stytch’s API.

Orb
Sri Raghavan
Founding Engineer

Transparent pricing

No price hikes, feature gating, or hidden fees. Pricing scales predictably with each additional SSO connection added.

SSO connections

5 connections: free

6-10 connections: $125 per connection / month

FAQ

While libraries simplify basic protocol handling, they don't handle all of the complex challenges of SSO. You still need to manage provider-specific integrations, handle edge cases (race conditions, clock skew, expired assertions, etc), implement secure multi-tenant session management, and develop onboarding and administration tools.

Stytch abstracts all of this away by providing:

1. Comprehensive IdP integration: Fully managed, out-of-the-box compatibility with Okta, Azure AD, Google Workspace, OneLogin, and more via both SAML and OIDC, eliminating custom code for provider-specific quirks.

2. Just-in-time (JIT) provisioning and automatic role assignment: Configurable settings to automatically provision new users and assign roles based on SSO connections, IdP group membership, or email domains.

3. Org-level auth policies: Allow customers to define domain enforcement, permitted login methods, and multi-factor authentication (MFA) settings via Admin Portal or API.

4. Multi-tenant session management: Built-in support for scoped sessions, isolated identities, and seamless switching between multiple organizations—all while enforcing each Organization's unique authentication requirements and protecting against account takeover attack (ATO) vulnerabilities.

5. Prebuilt Admin Portal: Fully managed UI enabling customer self-service for configuring and managing their own SSO setups, significantly reducing your engineering and support burden.

6. Production-grade reliability: Proven handling of real-world SSO edge cases, including assertion validation, relay state mismatches, and time synchronization issues critical to enterprise environments.

7. Breakglass users: Designate trusted admins who can bypass organization auth policies to resolve critical issues quickly if an IdP integration breaks.

6. Trusted External SSO Connections: Enable secure Managed Service Provider (MSP) scenarios by explicitly allowing SSO from trusted external IdP instances without introducing account takeover risks.