Getting started with SSO
Integrate Single Sign-On (SSO) with Scalekit to enhance your B2B SaaS application’s security. Scalekit provides seamless user experiences by abstracting the complexities of SAML and OIDC protocols. Using Scalekit’s authentication platform, you can implement enterprise-grade SSO with minimal code. We offer pre-built integrations with major identity providers including Okta, Microsoft Entra ID, JumpCloud, and OneLogin.
This quickstart guide walks you through the SSO implementation process. You will learn how to deliver enterprise authentication features without managing complex protocol details.
The following diagram illustrates the flow in a nutshell:
-
Environment Setup
Section titled “Environment Setup”Before implementing SSO with Scalekit, prepare your development environment with the necessary credentials and SDK. Sign up and get API credentials from the Scalekit dashboard.
npm install @scalekit-sdk/nodepip install scalekit-sdk-pythongo get -u github.com/scalekit-inc/scalekit-sdk-go/* Gradle users - add the following to your dependencies in build file */implementation "com.scalekit:scalekit-sdk-java:1.1.3"<!-- Maven users - add the following to your `pom.xml` --><dependency><groupId>com.scalekit</groupId><artifactId>scalekit-sdk-java</artifactId><version>1.1.3</version></dependency>Now you’re ready to start integrating SSO into your app! Next, we’ll cover how to use the SDK to authenticate users.
-
Authorize users
Section titled “Authorize users”To initiate Single Sign-On (SSO) authentication, redirect users to the Scalekit Authorization URL with the appropriate enterprise identity provider parameters.
Construct your authorization URL with these essential parameters:
Parameter Description redirect_uri
Your application endpoint that will receive the authorization code after successful authentication. Example: https://your-app.com/auth/callback
client_id
Your unique Scalekit application identifier that specifies both your app and environment (staging, production). SSO Connection identifier Choose the appropriate identifier based on your implementation (use one). SSO connection identifiers
When initiating SSO authentication, you must specify which connection to use through one of these identifiers, listed in order of precedence:
connection_id
(e.g., conn_124234234): Specifies a particular SSO connection with highest precedence. If valid, this connection will be used regardless of other parameters.organization_id
(e.g., org_124234234): Directs users to a specific organization’s SSO. Used when no valid connection_id is provided. If an organization has multiple SSO connections, the system selects the first active one.domain
(e.g., acmecorp.com): Uses the SSO connection configured for the specified domain. Applied when neither connection_id nor organization_id are provided.login_hint
(e.g., john@acmecorp.com): Lowest precedence. The system extracts the domain portion of the email address and uses the corresponding SSO connection.
After selecting the appropriate parameters for your implementation needs, construct your complete authorization URL and implement a redirect to this URL when users initiate the login process.
import { ScalekitClient } from '@scalekit-sdk/node';// Initialize the SDK clientconst scalekit = new ScalekitClient('<SCALEKIT_ENVIRONMENT_URL>','<SCALEKIT_CLIENT_ID>','<SCALEKIT_CLIENT_SECRET>',);const options = {};// Option 1: Authorization URL with the organization IDoptions['organizationId'] = 'org_15421144869927830';// Option 2: Authorization URL with login hintoptions['connectionId'] = 'conn_15696105471768821';// Option 3: Authorization URL with login hintoptions['loginHint'] = 'user@example.com';const authorizationURL = scalekit.getAuthorizationUrl(redirectUrl, options);from scalekit import ScalekitClient, AuthorizationUrlOptions, CodeAuthenticationOptions# Initialize the SDK clientscalekit = ScalekitClient('<SCALEKIT_ENVIRONMENT_URL>','<SCALEKIT_CLIENT_ID>','<SCALEKIT_CLIENT_SECRET>')options = AuthorizationUrlOptions()# Option 1: Authorization URL with the organization IDoptions.organization_id = 'org_15421144869927830'# Option 2: Authorization URL with login hintoptions.login_hint = 'user@example.com'# Option 3: Authorization URL with the connection IDoptions.connection_id = 'conn_15696105471768821'authorization_url = scalekit_client.get_authorization_url(redirect_uri=<redirect_uri>,options=options)# Redirect the user to this authorization URLimport ("github.com/scalekit/scalekit-sdk-go")func main() {// Initialize the SDK clientscalekitClient := scalekit.NewScalekitClient("<SCALEKIT_ENVIRONMENT_URL>","<SCALEKIT_CLIENT_ID>","<SCALEKIT_CLIENT_SECRET>")options := scalekitClient.AuthorizationUrlOptions{}// Option 1: Authorization URL with the organization IDoptions.OrganizationId = "org_15421144869927830"// Option 2: Authorization URL with the connection IDoptions.ConnectionId = "conn_15696105471768821"// Option 3: Authorization URL with Login Hint// User's email domain detects the correct enterprise SSO connection.options.LoginHint = "user@example.com"authorizationURL := scalekitClient.GetAuthorizationUrl(redirectUrl,options,)// Next step is to redirect the user to this authorization URL}// Redirect the user to this authorization URLpackage com.scalekit;import com.scalekit.ScalekitClient;import com.scalekit.internal.http.AuthorizationUrlOptions;public class Main {public static void main(String[] args) {// Initialize the SDK clientScalekitClient scalekitClient = new ScalekitClient("<SCALEKIT_ENVIRONMENT_URL>","<SCALEKIT_CLIENT_ID>","<SCALEKIT_CLIENT_SECRET>");AuthorizationUrlOptions options = new AuthorizationUrlOptions();// Option 1: Authorization URL with the organization IDoptions.setOrganizationId("org_13388706786312310");// Option 2: Authorization URL with the connection IDoptions.setConnectionId("con_13388706786312310");// Option 3: Authorization URL with Login Hint// User's email domain detects the correct enterprise SSO connection.options.setLoginHint("user@example.com");try {String url = scalekitClient.authentication().getAuthorizationUrl(redirectUrl, options).toString();} catch (Exception e) {System.out.println(e.getMessage());}}}// Redirect the user to this authorization URLThis redirect will send users to the Scalekit authentication flow, where they’ll authenticate with their organization’s identity provider before being returned to your application.
Example Authorization URL https://auth.scalekit.com/authorize?client_id=skc_122056050118122349527&redirect_uri=https://yourapp.com/auth/callback&organization_id=org_12434341After redirecting users to the Scalekit authorization endpoint, handle the callback at your
redirect_uri
to retrieve the user profile and complete the authentication process. -
Fetch user details
Section titled “Fetch user details”After successful SSO authentication, Scalekit redirects users to your specified redirect_uri with a temporary authorization code parameter. This code must be exchanged for the user’s profile information through a secure server-side request.
The authorization code exchange process should always be performed server-side to maintain security. This server-side request will:
- Validate the authorization code
- Return the authenticated user’s profile details
- Establish the user’s session in your application
The following section demonstrates how to implement this exchange process to retrieve comprehensive user information and complete the authentication flow.
Fetch user profile // Handle oauth redirect_url, fetch code and error_description from request paramsconst { code, error, error_description, idp_initiated_login, connection_id, relay_state } =req.query;if (error) {// Handle errors}// Recommended: Handle idp initiated loginconst result = await scalekit.authenticateWithCode(code, redirectUri);const userEmail = result.user.email;// Next step: create a session for this user and allow accessFetch user profile # Handle oauth redirect_url, fetch code and error_description from request paramscode = request.args.get('code')error = request.args.get('error')error_description = request.args.get('error_description')idp_initiated_login = request.args.get('idp_initiated_login')connection_id = request.args.get('connection_id')relay_state = request.args.get('relay_state')if error:raise Exception(error_description)# Recommended: Handle idp initiated loginresult = scalekit.authenticate_with_code(code, '<redirect_uri>')# result.user has the authenticated user's detailsuser_email = result.user.email# Next step: create a session for this user and allow accessFetch user profile // Handle oauth redirect_url, fetch code and error_description from request paramscode: = r.URL.Query().Get("code")error: = r.URL.Query().Get("error")errorDescription: = r.URL.Query().Get("error_description")idpInitiatedLogin: = r.URL.Query().Get("idp_initiated_login")connectionID: = r.URL.Query().Get("connection_id")relayState: = r.URL.Query().Get("relay_state")if error != "" {// Handle errors}// Recommended: Handle idp initiated loginresult, err: = a.scalekit.AuthenticateWithCode(code,<redirectUrl>)if err != nil {// Handle errors}// result.User has the authenticated user's detailsuserEmail: = result.User.Email// Next step: create a session for this user and allow accessFetch user profile // Handle oauth redirect_url, fetch code and error_description from request paramsString code = request.getParameter("code");String error = request.getParameter("error");String errorDescription = request.getParameter("error_description");String idpInitiatedLogin = request.getParameter("idp_initiated_login");String connectionID = request.getParameter("connection_id");String relayState = request.getParameter("relay_state");if (error != null && !error.isEmpty()) {// Handle errorsreturn;}// Recommended: Handle idp initiated logintry {AuthenticationResponse result = scalekit.authentication().authenticateWithCode(code, redirectUrl);String userEmail = result.getIdTokenClaims().getEmail();// Next step: create a session for this user and allow access} catch (Exception e) {// Handle errors}The
result
objectResult object {user: {email: "john.doe@example.com",familyName: "Doe",givenName: "John",username: "john.doe@example.com",id: "conn_326735950921X7829;cc4aaef2-b395-4b40-81ae-b8183c1006e1"},idToken: "<USER_PROFILE_JWT>", // JWT containing user profile informationaccessToken: "<API_CALL_JWT>", // Token for API callsexpiresIn: 899}