Scalekit now supports seamless SSO provider migration with minimal customer-side changes. Move existing SSO connections from Auth0, WorkOS, Firebase, or AWS Cognito to Scalekit while your customers keep their IdP settings completely unchanged.
Why it matters
Traditional SSO migration requires coordinating with every customer to update their identity provider configuration—Entity IDs, ACS URLs, certificates, and metadata endpoints. This creates massive operational overhead:
- Implementation calls with customer IT teams
- Configuration errors that break authentication for entire organizations
- Deployment coordination across time zones and change windows
- Support escalations and potential customer churn
Companies often stay locked into expensive providers because migration coordination is too painful. Our approach eliminates this by handling the transition through infrastructure you control.
How it works
The migration maintains existing IdP relationships through DNS redirection and intelligent routing:
SSO Proxy Layer
A smart router sits at your auth domain (e.g., auth.yourapp.com) between your application and both SSO systems. It examines each authentication request and directs it to the appropriate provider.
Organization Mapping
Store which organizations are migrated to Scalekit versus those still using your external provider. Use a database, configuration file, or API endpoint based on your architecture.
Provider Selection
Your app sends login requests with user information (email, domain, or organization ID). The proxy analyzes this data and routes authentication to either the external provider or Scalekit.
Preserved Configuration
Scalekit accepts the same Entity IDs and ACS URLs your customers already configured in their IdP. Their settings remain unchanged.
Request Forwarding
The proxy forwards authentication requests to the selected provider while preserving all necessary identifiers and session parameters.
Response Routing
After the IdP processes authentication, responses (SAML or OIDC) return to your proxy domain via configured callback URLs. The proxy examines response identifiers and routes callbacks accordingly.
Code Exchange
Your app receives an authorization code with a state indicator showing which provider processed the request, then completes the authentication flow.
What's included
Ready-to-Deploy SSO Proxy
Pre-built proxy implementations for AWS Lambda, Cloudflare Workers, or custom infrastructure. We provide deployment templates and configuration assistance tailored to your environment.
Data Migration Utilities
Automated tools to transfer tenant resources—organizations, users, and SSO configurations—from your existing provider to Scalekit with complete data integrity.
Separate Callback Endpoints
Set up distinct callback endpoints for each provider for clarity and easier debugging, or use a single unified endpoint based on your preference.
Debug Tools
Force-route specific requests to Scalekit using x-force-sk-route: yes header. Helpful for troubleshooting—customers can use browser extensions like ModHeader to reproduce flow issues.
Gradual Rollout
Migrate organizations one by one or all at once with the data migration utility. Test with internal accounts first, then roll out to production at your pace without forcing customers to reconfigure.
Prerequisites
Before starting your migration:
- DNS Control: You must control DNS for your auth domain with CNAME pointing to your external SSO provider
- Scalekit Setup: Sign up and install the Scalekit SDK
- Custom Domain Verification: Existing customers should have IdP configured with SP Entity ID and ACS URL starting with your domain (e.g.,
auth.yourapp.com/saml/callback)
Get started
The SSO proxy service and migration utilities are available now. Our team provides personalized assistance to ensure a smooth migration:
- View migration documentation
- Contact our support team for migration planning
- Start free to test the migration flow
