SSO
Apr 3, 2025

How to build SSO authentication with Python

Hrishikesh Premkumar
Founding Architect

Enterprise customers expect SSO support in any serious SaaS application—whether you’re building APIs or dashboards using FastAPI, Django, or Flask. But manually integrating protocols like SAML or OIDC with providers like Okta or Microsoft Entra ID is painful and error-prone. This guide shows how to add secure, production-ready SSO to your Python backend using Scalekit’s SDK. You’ll build a complete login and callback flow, manage JWT-based sessions, and test it all locally using an IdP simulator.

What this guide covers

By the end of this guide, you'll have a working SSO authentication flow using Python and Scalekit. You’ll:

  • Create a login endpoint that redirects to the user’s identity provider (Okta, Entra ID, etc.)
  • Handle authentication callbacks and extract user profile data
  • Establish a secure session using JWTs and HttpOnly cookies
  • Test the full flow locally using Scalekit’s built-in IdP simulator
  • Transition seamlessly to real IdPs in production

The case for SSO in Python-based backends

SSO streamlines enterprise logins. Users sign in once and access multiple tools without juggling passwords. For IT teams, it centralises access control. For developers, it introduces protocol complexity.

Python powers internal tools, APIs, and admin dashboards across industries. Whether you're building in Django or FastAPI, enterprise customers will ask for SSO support. Implementing it cleanly matters for user authentication, onboarding speed, and user experience.

The cost of doing SSO manually in Python

DevOrbit’s identity crisis

DevOrbit, a fictional analytics startup built on FastAPI, ran into trouble as soon as enterprise deals started rolling in. Each customer brought a different IdP: Okta, OneLogin, Microsoft Entra ID. DevOrbit tried to integrate each manually, wiring SAML assertions, mapping user attributes, and chasing token bugs. It didn’t scale.

Engineering cycles were spent debugging SSO flows instead of shipping the product. Their team had to manage configuration files, user records, and token logic manually. Onboarding dragged. Deals stalled. Imagine if DevOrbit switched to Scalekit: they could reduce their auth codebase to just a few lines of code.

Meet Scalekit: Protocol-agnostic SSO for Python apps

Scalekit removes the need to manage individual SAML or OIDC integrations. It acts as a bridge between your app and the enterprise service provider.

  • Configure each identity provider once via the Scalekit dashboard
  • Redirect users to Scalekit to initiate login
  • Receive verified user profile details via callback, including the user object and user info
  • Skip protocol-specific implementation (SAML, OAuth, OIDC)
  • Use with FastAPI, Flask, or Django in your project directory
  • Test using the built-in IdP Simulator for successful authentication

Scalekit simplifies the authentication flow, improves user management, and handles URL patterns and configuration details internally.

🔄 How Scalekit simplifies SSO in Python

  1. User clicks “Login with SSO” in your app
  2. Your FastAPI backend calls get_authorization_url() to generate the authorization request
  3. User is redirected to their IdP (authentication service) via Scalekit
  4. After successful authentication, Scalekit redirects back with a code
  5. Your app exchanges the code for tokens and user info
  6. A session is established (e.g. JWT in cookie)
How SSO works with Scalekit

Implementation overview

Here’s what you’ll implement in this guide:

  • A login route that initiates SSO by redirecting to the identity provider
  • A callback handler that verifies the authorization code and extracts user identity
  • A secure session setup using JWT and cookies in FastAPI
  • An optional test flow using Scalekit’s IdP simulator

End-to-end SSO flow

Here’s how the SSO flow works with Scalekit and your Python backend:

  1. User clicks “Login with SSO”
  2. Your app uses Scalekit SDK to generate a login redirect URL
  3. Scalekit redirects the user to their assigned Identity Provider (e.g., Okta)
  4. After authentication, the IdP sends the user back to your app with an auth code
  5. Your app exchanges the code for user profile info and tokens
  6. You establish a session and return the authenticated user to the frontend

Hands-on: Setting up SSO in Python with FastAPI

🛠️ Install the SDK

pip install scalekit-sdk-python

Make sure to install it inside your virtual environment for clean dependency isolation.

⚙️ Set environment variables

SCALEKIT_ENVIRONMENT_URL=your_env_url SCALEKIT_CLIENT_ID=your_client_id SCALEKIT_CLIENT_SECRET=your_secret

These variables provide your authentication service with connection and configuration details.

🔐 Set up the Scalekit client

from scalekit import ScalekitClient, AuthorizationUrlOptions sc = ScalekitClient(env_url, client_id, client_secret)

🔁 Create the login route

@app.get("/auth/login")async def auth_login(request: Request): options = AuthorizationUrlOptions() options.connection_id = "con_123456789" auth_url = sc.get_authorization_url(        redirect_uri=redirect_uri, options=options    )    return Response(status_code=302, headers={"Location": auth_url})

This route initiates SP-initiated SSO and sends the user to their service provider.

🔓 Handle the callback

from fastapi.responses import JSONResponse @app.get("/auth/callback") async def auth_callback(request: Request): code = request.query_params.get("code") token = sc.authenticate_with_code(code, redirect_uri)    user_email = token.user.email  # Optional: access more profile info    response = JSONResponse(content={"email": user_email})    response.set_cookie("access_token", token.accessToken, httponly=True, secure=True)    return response

This completes the authentication flow and stores user info securely.

▶️ Run the FastAPI app

uvicorn main:app --reload --port 8080

Make sure your hosts file allows local development on localhost.

🧪 Use the IdP simulator for testing

Scalekit's tIdP simulator
  • Use an @example.org test email to trigger the simulator
  • No real IdP setup required

🚪 Run with real IdPs:

  • Replace connection ID and credentials with production config
  • Redirect users to their enterprise IdP with one line of code

▶️ Run with actual config

Once the simulator is working, you can authenticate yourself. Use your actual config and try your app.

Scalekit SSO login screen
Scalekit SSO dashboard

Managing secure sessions with JWT in Python

Use pyjwt to manage sessions after login:

  • Issue access tokens with short expiry
  • Store tokens in secure, HttpOnly cookies to protect against XSS attacks
  • Implement refresh tokens if needed for long-lived sessions
  • Avoid storing tokens in localStorage or client-accessible cookies
  • Include claims like user ID or email address in the token payload
import jwt import time SECRET_KEY = "supersecret" def generate_token(user_id):    payload = {"user_id": user_id, "exp": time.time() + 3600}    return jwt.encode(payload, SECRET_KEY, algorithm="HS256")

This approach provides user authentication persistence while maintaining security best practices.

Debugging SSO flows in Python

SSO bugs often stem from misconfigurations. Here’s how to trace them:

  • Token errors: Check expiry, signature, and audience claim.
  • Redirect loops: Verify redirect_uri and state parameter.
  • ACS mismatches: Ensure the Assertion Consumer Service (ACS) URL matches what’s in the service provider settings.
  • Missing configuration files: Check your project directory for the required environment or YAML config.

Use Scalekit logs to trace the authentication flow. You can also inspect token contents to confirm user attributes like email address or user ID.

Best practices for secure Python SSO deployment

  • Enforce HTTPS for all callback and login routes
  • Rotate keys used for signing JWTs
  • Enable MFA at the IdP level
  • Never store tokens in localStorage
  • Set HttpOnly and Secure flags on cookies
  • Validate all callback inputs
  • Use centralized logging across Scalekit, your backend, and the authentication service
  • Use version control to track configuration files and update default values securely

Wrapping Up: SSO without the overhead

This guide covered the entire lifecycle of implementing SSO in a Python backend—from understanding enterprise SSO needs, to setting up routes in FastAPI using Scalekit’s SDK, and securing sessions with JWT. You learned how to test with the IdP simulator, debug common issues, and apply best practices around token handling and cookie storage.

You also saw how SSO fits into broader backend concerns like user authentication, user experience, service provider integration, and secure handling of user info and user accounts.

Enterprise SSO doesn’t have to slow you down. With Scalekit, Python developers can ship secure, scalable authentication in hours, not weeks.

FAQ

Do I need to use Django or FastAPI to implement SSO with Scalekit?

No. The SDK works with any Python backend, including Flask. FastAPI and Django just happen to be the most popular frameworks.

Can I test the SSO flow without connecting a real IdP like Okta or Entra ID?

Yes. Scalekit offers a built-in Test IdP Simulator. Use any @example.org email address to trigger simulated flows.

How do I manage sessions after login in a Python app?

Use JWTs. Issue short-lived access tokens and store them in secure cookies. Optionally add refresh tokens for persistent sessions.

Can I connect multiple Identity Providers in one Python backend?

Yes. Each customer’s IdP can be configured in Scalekit. Use connection_id to route users correctly.

How to implement SSO in Python?

Use the scalekit-sdk-python package. Set up login and callback routes, configure your org in the dashboard, and test using the IdP simulator.

No items found.
On this page
Toc link here
Share this article
Copy link
More from our blog
More articles
SSO
Feb 27, 2025
Implementing SSO using Ping Identity: A ReactJS developer’s guide
Kuntal Banerjee
SSO
Mar 13, 2025
Implementing SSO using OneLogin: A ReactJS developer’s guide
Srinivas Karre
SSO
Apr 7, 2025
Guide to building SSO solutions with Java Spring Boot
Kuntal Banerjee
More articles

Acquire enterprise customers with zero upfront cost

Every feature unlocked. No hidden fees.
Start for free
Talk to an engineer
Start Free
$0
/ month
1 FREE SSO/SCIM connection each
1000 Monthly active users
25 Monthly active organizations
Passwordless auth
API auth: 1000 M2M tokens
MCP auth: 1000 M2M tokens
Start freeSchedule a demoPricingLogin
Products
MCP OAuthAgent connectAuth methodsUI widgetsSingle sign-OnSCIMSocial loginAdmin portal
Solutions
Core authEnterprise authAgentic auth
For developers
DocsAPI referenceSDKsStatusRelease notes
Integrations
Auth0 + SSOFirebase + SSOIdentity providersSCIM directoriesSocial connectorsView all integrations
Compare
vs Auth0vs WorkOS
Resources
Auth0 alternativesWorkOS alternativesBlog
Authentication guides
M2M authenticationSingle sign-onSocial loginsOAuthPasswordlessSCIMDirectory syncTop SSO toolsSSO testing
Company
AboutLegalTrust center
Contact us
hi@scalekit.com
16192 Coastal Hwy Lewes,
DE 19958
© 2025 ScaleKit Inc.  All rights reserved
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation and collect statistics on usage.
Accept 👌