Table of Contents
Hello Descopers! We are delighted to share the SSO Setup Suite with you today. The SSO Setup Suite (which we fondly call S4) is a standalone self-service portal for all your B2B tenant admins’ SSO needs. You can send tenant admins a unique, temporary link to an S4 portal that helps them with step-by-step SSO and SCIM setup guides, IdP selection, advanced mapping configurations, and even testing tools.
The SSO Setup Suite is an evolution of Descope’s self-service configuration flows that were already loved by customers, with You.com saying it shortened SSO setup time from weeks to 15 minutes.
Check out our docs for details and watch the video below for a walkthrough. For more on the Why, What, and How, keep on reading!
Note: This feature is supported for Descope Pro tiers and above.
The Sisyphean SSO struggle
People that have had to set up or configure SSO authentication–either as an identity provider or service provider–know that it can end up feeling like a never-ending process. The security stakes are clear: passing sensitive information between two organizations while ensuring cybercriminals can’t find any loopholes or backdoors is a critical priority. But the actual implementation and endless debugging can make it feel like pushing a boulder up a mountain only for it to come crashing down again.
To simplify this process, most products support some sort of self-service SSO configuration. However, that has its own issues.
This configuration is usually built into the “back-office” of the product and relies on extensive knowledge of SAML or OpenID Connect.
The person responsible for SSO connections is usually not a product user but an IT administrator. This means you need to create a user for the IT admin to configure SSO, remove them once it’s done, add them back when there’s an issue to be solved, remove them again…see Sisyphus above.
The IT admin’s user account won’t be an SSO account since you’ll create it before setting up SSO, which leads to the danger of multiple user identities, orphaned accounts that could be targeted by cybercriminals, and inaccurate log, audit, and user data.
The SSO Setup Suite solves all the above concerns and more!
SSO Setup Suite Overview
The SSO Setup Suite is a standalone portal that provides a guided step-by-step overview for tenant admins to configure, manage, and test SSO and SCIM connections. Let’s look at some notable supported features.
SSO configuration
Tenant admins can go through vanilla SAML or OIDC configuration setups with S4, but it’s likely they are already using an identity provider like Google Workspace, Okta, JumpCloud, or Entra ID. They can go through pre-built guides for these IdPs for step-by-step instructions (including UI screenshots of the respective IdP) on which configurations need to be set up for the SSO connection between your product (using Descope behind the scenes) and the tenant admin’s IdP.
These guides are available for 17 IdPs at the time of writing, with more being added in every sprint!
SSO mapping
Identity providers usually contain important information that can govern a user’s experience in your product. Whether it’s user attributes that determine how they navigate through your product, or roles groups that define what they can and cannot do, it’s vital to sync these attributes from the IdP to your product.
S4 includes mapping configurations that support:
User attribute mapping to sync user attributes in the IdP to user attributes in Descope (these can be default or custom attributes).
Group mapping to sync user groups in the IdP to Descope’s authorization systems, with RBAC being supported at the time of writing and FGA support coming soon.
Configuration testing
Testing SSO connections can only be done with an end-to-end authentication ceremony, which can become onerous and time-consuming. The SSO Setup Suite provides a comprehensive testing tool that includes both the raw SAML / OIDC responses as well as mapped user objects and any configured associations. This helps tenant admins ensure that not only is the SSO connection firing correctly, but all the needed user information is mapped appropriately.
SCIM configuration
The SCIM protocol is used to keep multiple platforms in sync with updated user and group information. While most of the SCIM setup is done on the IdP side, there are some steps service providers (i.e. your product with Descope) need to follow. S4 includes a dedicated SCIM configuration section that makes this setup a breeze.
Now that we’ve covered the “what” of the SSO Setup Suite, let’s look at how you can configure and deliver it to your customers.
S4 lifecycle management
The SSO Setup Suite is hosted by Descope and can be accessed using a dedicated link. This link already takes into account the company, project, tenant, and SSO configuration (since tenants can have multiple SSO configurations). Once a tenant is created, you can generate an S4 link under Tenant Settings.
Generating this link attaches a token with a temporary identity and a clearly stated expiration date. This temporary identity can be used only for the SSO Setup Suite and has the appropriate privileges to configure the tenant’s SSO. It’s a volatile and restricted user that can’t take any other actions in your product, solving the “double identity” issue we laid out earlier in this blog.
S4 configuration and email settings
The SSO Setup Suite has default settings that can be adjusted to your application’s needs under the SSO section in the Authentication Methods tab:
Email templates: You can choose to send SSO setup links to tenant admins over email, including customizing the email template.
Link expiration: Depending on the use case and your application’s security requirements, the generated S4 link can be long or short lasting. The link can also be revoked prior to its stated expiration and regenerated later if the need arises.
Access control: You can define what permissions the temporary user will have as it relates to your authorization schema (with RBAC supported at present and FGA coming soon).
SDK and API support
While Descope’s cornerstone is Flows, we always ensure all our features are also supported via SDKs and APIs for developers that wish to integrate using those approaches. The SSO Setup Suite is fully supported in our SDKs and APIs, allowing you to customize the journey to your liking. For example, you can configure an S4 link to be generated and sent to the customer tenant admin automatically when a tenant is created.
Complete customer SSO with Descope
The SSO Setup Suite is a one-stop shop to accelerate time to value as you onboard B2B customers, ensuring all the benefits of SSO without any of the configuration hassle. It’s the latest in a long line of SSO capabilities including:
Easy creation of SSO authentication processes with Descope Flows.
Supporting multiple SSO configurations per tenant.
Enforcing SSO for enabled domains.
Federating identities across hosted apps and multiple IdPs using Descope as an OIDC Provider.
Seamlessly migrating existing SSO connections to Descope.
Try out S4 with your tenant admins and let us know what you think! If you have questions or would like to start “descoping” SSO from your engineering team’s daily work, book a demo with our auth experts.
