back arrowBack to Blog

Auth Thoughts

The Power of Descope Flows: Enforcing SSO for SSO-Enabled Domains

Enforcing SSO Power of Flows thumbnail

UPDATE: This blog was originally written in May 2023 but we updated it in Jan 2024 because enforcing SSO login for enabled domains is even easier with Descope now! Keep reading to find out more.

This is Part 2 of the “The Power of Descope Flows” blog series which will cover how our drag-and-drop authentication platform can be used to add, modify, and update authentication on any app or website. In this blog, we cover how Descope Flows can be used to authenticate with SSO for enabled domains.

Check out Part 1 here.

Recently, one of our customers asked us if there was an easy way to implement SSO with Descope that could automatically detect whether a user should sign in via SSO or OTP based on their email address. This was one of those use cases that is extremely simple to handle with Flows, and it got me thinking about how powerful Descope Flows can be for app developers.

The importance of SSO

Building authentication in-house can quickly get complicated as companies increasingly rely on multiple applications and services to support their operations. As the number of integrations with other products continues to increase, so does the complexity of managing user authentication with all of those different platforms. 

To cope with this problem, Single Sign-On (SSO) has emerged as a powerful solution to simplify the authentication process and enhance application security. With SSO, one user can access multiple applications using a single set of credentials, thereby reducing the risk of password-related security breaches. 

Here are some of the benefits of using SSO:

  1. Improved user experience: The use of SSO greatly simplifies the login process by eliminating the need to remember multiple credentials for different applications. An example of this is being able to sign in and create a YouTube account with your Gmail account username and password.

  2. Enhanced security: Centralizing the authentication process reduces the risk of weak or reused passwords. With SSO, users can focus on creating a single strong password, decreasing the likelihood of unauthorized access. SAML SSO specifically uses security tokens called SAML assertions, which are digitally signed and encrypted, ensuring that the data cannot be tampered with or intercepted during transmission.

  3. Better user management: Since you essentially have one set of login credentials for many applications, SSO allows you to manage all of your user access and permissions from a single dashboard.

In the next section, we will dive into the process of using Descope to identify SSO-enabled domains to streamline the user experience.

SSO meme

Streamlining user login with SSO

Descope is a versatile and powerful authentication platform that simplifies SSO implementation for app developers. With Descope Flows, you can easily set up SSO for all of your tenants to work with a variety of applications and services. 

The great thing about using Flows is that lots of functionality such as SSO-enabled detection is already built into the platform. The domain of the email address the user inputs should automatically be used to detect if SSO-based login is enabled for that domain. 

To create the experience described above, simply follow these steps:

  • Go to Flows, select which one you want to edit, and select the first screen, or create a new one with the blue + in the bottom left of your screen.

SSO flow
Fig: Create and select the "Sign in Screen" in your Flow
  • On the main styling page, edit the screen to include one button and a text entry field for the user’s email address, and click Done in the top right corner (you can style the rest however you want).

SSO screen 1
Fig: Create your SSO sign-in screen
  • Create a Condition block (under the blue + and Condition), and connect it to your SSO / Enabled block. If you’re confused about how to create a Condition block, please refer to this other KB.

SSO Enabled Conditional Block
Fig: Conditional step to check if SSO is enabled

Afterwards, your flow should look similar to mine:

SSOEnabled with Social Login Flow
Fig: Flow containing social login and email options

In the flow above, I’m attempting to either log in with Email or with OAuth Social Login (Google and Microsoft). If SSO isn’t enabled for the tenant email entered, it will resort to sending an OTP to that email instead.

You can then integrate Descope with your application using our variety of SDKs and libraries, enabling you to have seamless SSO across your enabled domains.

Fun fact: You can automatically format your flows to look nice and tidy with the Organize button in the bottom right corner:

Flows Organize Button

Once all that’s done, when users input an email that is SSO enabled they will be automatically redirected to SSO login. You can also easily enforce role-based access control (RBAC) directly from the Descope console or with an SDK. 

Staples Button GIF


As you can see, SSO is an essential tool for organizations seeking to simplify user authentication and enhance security across multiple applications and services. By identifying SSO-enabled domains and leveraging an authentication platform like Descope, you can create a more streamlined and secure authentication experience for all of your users.

If you would like to learn more about Descope and how it might benefit your project or business, sign up for our platform and check out some of our B2B or B2C sample apps.