Skip to main content

Setting Up Single Sign-On (SSO) Login on Stack

In this guide, you'll discover how to integrate your Stack account with an external SSO provider to offer a seamless Single Sign-On experience for your users.

Table of Contents

Pricing for Enabling SSO

The SSO feature is available as an add-on for $200 per month, in addition to your existing Stack subscription.

Important Considerations Before Activation

  • Stack supports only the OIDC standard for SSO. SAML is not supported.
  • Users are not automatically created in Stack through the SSO Integration. You will need to set up user creation using APIs.
  • Only one SSO integration is supported at the agency level, meaning all users across all sub-accounts share the same SSO login experience.

Adding Users from Your SSO Identity Provider

  1. Create a Private Integration Token: Ensure the token has 'Create or Edit Users' scope enabled.
  2. Use the Create Users API for SSO: Utilize this API to create or update users in Stack. Ensure the "externalUserId" parameter matches the unique user ID from your SSO IDP's user database.

Configuring SSO

Once the SSO feature is activated on your account, you can configure it under your account settings. This involves setting up the integration with your chosen SSO provider, such as Auth0.

Process for Setting Up SSO

  1. Private Beta Access: Currently, this feature is in Private Beta. To enable it, contact support via email.
  2. Subscription Update: With your consent, you'll be signed up for the $200/month plan to enable the SSO feature.
  3. Feature Activation: After payment, the feature will be enabled on your account. However, users won't see the SSO Login option until setup is complete.
  4. Update Existing Users: Ensure your existing users are updated with the externalUserID.
  5. Complete SSO Configuration: Finalize the setup as described in the configuration section.

Once these steps are completed, your users will see the "SSO Login" option on your white-labeled login page.

Handling Email Updates on the SSO IDP

Stack uses the externalUserId to uniquely identify users during login. If a user's email is updated in the IDP database after initial creation, Stack will automatically update the user's email on its side the next time they log in.