back arrowBack to Blog

Auth Thoughts

The Power of Descope Flows: Enforcing SSO for SSO-Enabled Domains

Enforcing SSO Power of Flows thumbnail

This is Part 2 of the “The Power of Descope Flows” blog series which will cover how our drag-and-drop authentication platform can be used to add, modify, and update authentication on any app or website. In this blog, we cover how Descope Flows can be used to authenticate with SSO for enabled domains.

Check out Part 1 here.

Recently, one of our customers asked us if there was an easy way to implement SSO with Descope that could automatically detect whether a user should sign in via SSO or OTP based on their email address. This was one of those use cases that is extremely simple to handle with Flows, and it got me thinking about how powerful Descope Flows can be for app developers.

The importance of SSO

Building authentication in-house can quickly get complicated as companies increasingly rely on multiple applications and services to support their operations. As the number of integrations with other products continues to increase, so does the complexity of managing user authentication with all of those different platforms. 

To cope with this problem, Single Sign-On (SSO) has emerged as a powerful solution to simplify the authentication process and enhance application security. With SSO, one user can access multiple applications using a single set of credentials, thereby reducing the risk of password-related security breaches. 

Here are some of the benefits of using SSO:

  1. Improved user experience: The use of SSO greatly simplifies the login process by eliminating the need to remember multiple credentials for different applications. An example of this is being able to sign in and create a YouTube account with your Gmail account username and password.

  2. Enhanced security: Centralizing the authentication process reduces the risk of weak or reused passwords. With SSO, users can focus on creating a single strong password, decreasing the likelihood of unauthorized access. SAML SSO specifically uses security tokens called SAML assertions, which are digitally signed and encrypted, ensuring that the data cannot be tampered with or intercepted during transmission.

  3. Better user management: Since you essentially have one set of login credentials for many applications, SSO allows you to manage all of your user access and permissions from a single dashboard.

In the next section, we will dive into the process of using Descope to identify SSO-enabled domains to streamline the user experience.

SSO meme

Streamlining user login with SSO

With Descope Flows, you can easily set up SSO for all of your tenants to work with a variety of applications and services. To detect if SSO is enabled for a specific user from their email with Flows, follow these four simple steps:

  1. Sign in to Descope and go into the Flow you would like to customize.

  2. Ensure you have an email input field and button on the login screen.

  3. Add the SSO / Enabled Action block to the flow

  4. Create a condition block, using the ssoEnabled key, to identify whether SSO is enabled for the user

  5. Add the SSO Action block to force sign-in, if ssoEnabled is true

SSOEnabled Conditional Block
Fig: Conditional step to check if SSO is enabled

As an example, you can also take some time to add Social Login to allow for both OAuth Social Login (Google and Microsoft) and Email. This is what the completed flow looks like:

SSOEnabled with Social Login Flow
Fig: Flow containing social login and email options

You can then integrate Descope with your application using our variety of SDKs and libraries, enabling you to have seamless SSO across your enabled domains.

Fun fact: You can automatically format your flows to look nice and tidy with the Organize button in the bottom right corner:

Flows Organize Button

Once all that’s done, when users input an email that is SSO enabled they will be automatically redirected to SSO login. You can also easily enforce role-based access control (RBAC) directly from the Descope console or with an SDK. 

Staples Button GIF

Conclusion

As you can see, SSO is an essential tool for organizations seeking to simplify user authentication and enhance security across multiple applications and services. By identifying SSO-enabled domains and leveraging an authentication platform like Descope, you can create a more streamlined and secure authentication experience for all of your users.

If you would like to learn more about Descope and how it might benefit your project or business, sign up for our platform and check out some of our B2B or B2C sample apps.