Skip to main content

Getting started with SSO

Integrate with dozens of identity providers via SAML or OIDC

Implementing Single Sign-On with Scalekit enhances your B2B SaaS application's security while providing seamless user experiences by abstracting the complexities of SAML and OIDC protocols. Scalekit's authentication platform enables developers to implement enterprise-grade SSO with minimal code, offering pre-built integrations with major identity providers including Okta, Microsoft Entra ID, JumpCloud, and OneLogin.

This quickstart guide walks you through the SSO implementation process, allowing you to deliver enterprise authentication features without managing complex protocol details.

How Scalekit works

Scalekit offers turnkey SSO for B2B SaaS applications

1. Environment Setup

Before implementing SSO with Scalekit, prepare your development environment with the necessary credentials and SDK. This setup process ensures secure communication between your application and Scalekit authentication platform.

Install the Scalekit SDK

Scalekit provides language-specific SDKs that simplify SSO implementation. Select and install the appropriate SDK for your technology stack:

Setup SDK
npm install @scalekit-sdk/node

Configure API Credentials

Secure your Scalekit API communication by setting up environment variables. You'll need three key pieces of information from your Scalekit Dashboard:

To configure your API credentials:

  1. Sign in to your Scalekit Dashboard
  2. Navigate to your desired environment (Development, Staging, or Production)
  3. Select "API Config" from the navigation menu
  4. Copy your Environment URL, Client ID, and Client Secret
  5. Store these credentials as environment variables in a .env file:
.env
SCALEKIT_ENVIRONMENT_URL='https://b2b-app-dev.scalekit.com'
SCALEKIT_CLIENT_ID='<CLIENT_ID_FROM_SCALEKIT_DASHBOARD>'
SCALEKIT_CLIENT_SECRET='<SECRET_FROM_SCALEKIT_DASHBOARD>'
tip

Now you're ready to start integrating SSO into your app! Next, we'll cover how to use the SDK to authenticate users.

2. Authorize Users

To initiate Single Sign-On (SSO) authentication, redirect users to the Scalekit Authorization URL with the appropriate enterprise identity provider parameters.

Construct your authorization URL with these essential parameters:

ParameterDescription
redirect_uriYour application endpoint that will receive the authorization code after successful authentication. Example: https://your-app.com/auth/callback
client_idYour unique Scalekit application identifier that specifies both your app an¯d environment (staging, production).
SSO Connection IdentifierChoose the appropriate identifier based on your implementation (use one).

SSO connection identifiers

When initiating SSO authentication, you must specify which connection to use through one of these identifiers, listed in order of precedence:

  • connection_id (e.g., conn_124234234): Specifies a particular SSO connection with highest precedence. If valid, this connection will be used regardless of other parameters.

  • organization_id (e.g., org_124234234): Directs users to a specific organization's SSO. Used when no valid connection_id is provided. If an organization has multiple SSO connections, the system selects the first active one.

  • domain (e.g., acmecorp.com): Uses the SSO connection configured for the specified domain. Applied when neither connection_id nor organization_id are provided.

  • login_hint (e.g., john@acmecorp.com): Lowest precedence. The system extracts the domain portion of the email address and uses the corresponding SSO connection.

note

For social login, use provider=google to bypass all enterprise SSO parameters and direct users straight to Google's login screen. See Social Login for more information.

After selecting the appropriate parameters for your implementation needs, construct your complete authorization URL and implement a redirect to this URL when users initiate the login process.

Construct Authorization URL
import { ScalekitClient } from '@scalekit-sdk/node';
// Initialize the SDK client
const scalekit = new ScalekitClient(
  '<SCALEKIT_ENVIRONMENT_URL>',
  '<SCALEKIT_CLIENT_ID>',
  '<SCALEKIT_CLIENT_SECRET>',
);

const options = {};

// Option 1: Authorization URL with the organization ID
options['organizationId'] = 'org_15421144869927830';

// Option 2: Authorization URL with login hint
options['connectionId'] = 'conn_15696105471768821';

// Option 3: Authorization URL with login hint
options['loginHint'] = 'user@example.com';

const authorizationURL = scalekit.getAuthorizationUrl(redirectUrl, options);

This redirect will send users to the Scalekit authentication flow, where they'll authenticate with their organization's identity provider before being returned to your application.

Example Authorization URL
https://auth.scalekit.com/authorize?
  client_id=skc_122056050118122349527&
  redirect_uri=https://yourapp.com/auth/callback&
  organization_id=org_12434341

After redirecting users to the Scalekit authorization endpoint, handle the callback at your redirect_uri to retrieve the user profile and complete the authentication process. For a practical implementation example, refer to our NextJS guide on adding SSO to the Login Page, which demonstrates the complete user authorization flow with code samples.

3. Fetch User Details

After successful SSO authentication, Scalekit redirects users to your specified redirect_uri with a temporary authorization code parameter. This code must be exchanged for the user's profile information through a secure server-side request.

The authorization code exchange process should always be performed server-side to maintain security. This server-side request will:

  1. Validate the authorization code
  2. Return the authenticated user's profile details
  3. Establish the user's session in your application

The following section demonstrates how to implement this exchange process to retrieve comprehensive user information and complete the authentication flow.

Fetch user profile
// Handle oauth redirect_url, fetch code and error_description from request params
const { code, error, error_description, idp_initiated_login, connection_id, relay_state } =
  req.query;

if (error) {
  // Handle errors
}

// Recommended: Handle idp initiated login

const result = await scalekit.authenticateWithCode(code, redirectUri);
const userEmail = result.user.email;

// Next step: create a session for this user and allow access

The result object

Result Object
Loading...
tip

  • The idToken is a JWT containing user profile information, while the accessToken is used for API calls.

  • For security and compliance reasons, Scalekit does not store user profile information in persistent databases.

Is this page helpful? Yes No
Need help? Contact Support
Questions? Contact Us