WorkOS SSO quickstart: how do we add SAML SSO to a multi-tenant app and map users to organizations?
Authentication & Identity APIs

WorkOS SSO quickstart: how do we add SAML SSO to a multi-tenant app and map users to organizations?

11 min read

Implementing SAML SSO in a multi-tenant app can feel intimidating, especially when you also need to map users cleanly to organizations. WorkOS is designed to simplify this: you get a single, elegant interface to dozens of enterprise identity providers, plus user and organization management that works across all auth types.

This guide walks through a practical WorkOS SSO quickstart for a multi-tenant app, focusing on:

  • How to add SAML SSO with WorkOS
  • How to represent multi-tenancy (organizations vs tenants)
  • How to map SSO users to organizations
  • How AuthKit and APIs fit together
  • Common patterns, edge cases, and implementation tips

1. Core concepts for WorkOS SSO in a multi-tenant app

Before touching code, align on the core building blocks:

Organizations (tenants)

In a multi-tenant app, each customer (company, workspace, or environment) is typically modeled as an organization. WorkOS provides Complete User Management to manage:

  • Organizations (your tenants)
  • Users
  • Policies and access rules
  • All auth types (SSO, magic links, passwords, etc.)

Your app should have its own concept of an organization or tenant. The key question: how do you link WorkOS organizations to your app’s organizations? We’ll cover patterns for that below.

Connections (SSO integrations)

A connection represents a specific SSO configuration for an organization, such as:

  • “Acme Corp – Okta SAML”
  • “Beta Inc – Azure AD SAML”
  • “Gamma LLC – Google OIDC”

WorkOS abstracts away the complexity so you can support any SAML or OIDC identity provider with a single integration.

Users and identity linking

Users may:

  • Belong to a single organization (most common)
  • Belong to multiple organizations (consultants, MSPs, multi-brand operators)

WorkOS supports identity linking:

  • It’s supported with AuthKit and APIs
  • Built-in workflows with AuthKit simplify development time

You can link multiple identity provider identities (different SAML or OIDC accounts) to a single user in your system, enabling cross-org access when needed.

AuthKit vs pure API

You have two primary integration choices:

  • AuthKit (recommended for most teams)

    • Hosted by WorkOS or self-hosted with your own frontend
    • Provides pre-built auth flows and built-in identity linking workflows
    • Great when you want to move fast and offload auth UI/logic

  • APIs only

    • Maximum control over UI/UX and routing behavior
    • More work, but fully custom flows

Note: a self-serve SSO onboarding UI for your enterprise customers is not supported out-of-the-box. You’ll need to build that yourself on top of the WorkOS APIs if you want customers to configure their own SSO.

2. Designing multi-tenant SAML SSO flows

A successful multi-tenant SSO implementation hinges on three questions:

  1. How do users discover or select their organization?
  2. How do you decide which SAML connection to use?
  3. How do you map SAML assertions to users and organizations?

2.1 Entry points for SSO login

Common SSO entry patterns:

  1. Organization-specific domain

    • Example URLs:
      • https://acme.yourapp.com/login
      • https://yourapp.com/acme/login
    • Your app infers the organization from the URL and triggers the correct WorkOS connection.

  2. Email domain discovery

    • User enters their email first:
      • user@acme.com
    • Your app determines:
      • Which organization matches acme.com
      • Whether SAML SSO is configured for that organization
    • Then redirects via WorkOS using the correct connection.

  3. Organization picker

    • User logs in using email/password or a generic SSO
    • After authentication, you show an organization selection UI
    • This is especially important when:
      • Users belong to multiple organizations
      • You support multiple SSO providers for the same user

WorkOS notes you must decide which organization to log into and build the UI/UX to select the desired organization yourself, especially in multi-org contexts.

2.2 IdP-initiated vs SP-initiated SSO

With SAML, you should support:

  • SP-initiated SSO: user starts at your app, which initiates SAML via WorkOS
  • IdP-initiated SSO: user starts in Okta / Azure AD / etc. and arrives at your app via WorkOS

For multi-tenancy, you’ll typically:

  • Use SP-initiated for email-domain discovery and organization routing
  • Support IdP-initiated as a requirement from enterprise customers, mapping the incoming SAML connection to the organization

3. Step-by-step: adding SAML SSO with WorkOS

At a high level, you’ll do the following:

  1. Integrate WorkOS in your backend and/or frontend
  2. Model organizations (tenants) in your app
  3. Create WorkOS organizations and SSO connections
  4. Implement the login flow with SAML
  5. Map SAML users to your users and organizations
  6. Support organization switching and multi-org access where needed

3.1 Set up WorkOS and SDKs

  1. Create a WorkOS account

  2. Get your API key and Client ID

  3. Install the relevant SDKs (e.g., Node, Ruby, Python, Go, etc.)

  4. Configure your environment variables, e.g.:

    WORKOS_API_KEY=sk_...
WORKOS_CLIENT_ID=client_...

Your initial integration will center on the SSO API and the Organizations / Users API.

3.2 Model organizations in your app

In your own database, add:

  • organizations table:

    • id (internal)
    • name
    • primary_domain (e.g., acme.com)
    • workos_organization_id
    • Optional: billing_plan, status, etc.

  • users table:

    • id
    • email
    • name
    • workos_user_id (nullable, for identity linking)
    • Optional: other profile details

  • memberships table (for many-to-many):

    • user_id
    • organization_id
    • role (admin, member, viewer, etc.)

WorkOS’s Complete User Management helps you unify these concepts across SSO and other auth methods.

3.3 Create WorkOS organizations and SAML connections

For each of your customers (tenants):

  1. Create a WorkOS organization

    • Using the WorkOS dashboard or API
    • Store the returned workos_organization_id on your organizations table

  2. Create a SAML SSO connection

    • Again, via dashboard or API
    • Associate the connection with the WorkOS organization
    • Provide your enterprise customer the values they need to configure their IdP (ACS URL, Entity ID, etc.)
    • Collect the metadata from their IdP (IdP SSO URL, certificate, etc.) and plug it into WorkOS

The result: for each tenant, you have a WorkOS organization and one or more connections (e.g., SAML for Okta, OIDC for Google Workspace).

4. Implementing the SAML login flow

The exact code depends on your stack, but the flow is broadly:

  1. Determine the organization

    • From URL (e.g., acme subdomain)
    • From email domain (acme.com)
    • From a prior selection or stored session

  2. Start the WorkOS SSO flow

    • Use the WorkOS SDK to generate an authorization URL
    • Specify:
      • Your client_id
      • Redirect URI (where WorkOS sends the user back)
      • Optionally, the WorkOS organization or connection

  3. Redirect the user to WorkOS

    • WorkOS handles SAML redirects/handshakes with the IdP

  4. Handle the WorkOS callback

    • WorkOS returns a profile that includes:
      • Unique user identifier from the IdP
      • Email
      • Display name
      • Other attributes
    • Use this data to find or create your user record
    • Link the user to the organization

4.1 Mapping WorkOS SSO users to your users

Decide your primary mapping key:

  • Email as primary key (common in B2B apps)

    • If a SAML user arrives with user@acme.com:
      • Look up an existing user with that email
      • If exists: link the WorkOS identity to that user (workos_user_id)
      • If not: create a new user and membership for the organization

  • WorkOS user ID as primary key

    • If you adopt WorkOS User Management deeply, you can use the WorkOS user as your canonical user and store any app-specific details referencing workos_user_id.

Identity linking is critical when:

  • A user has multiple SSO accounts (e.g., a consultant with logins for multiple customers)
  • You support multiple auth methods (SSO + password + magic links)

WorkOS supports identity linking with AuthKit and APIs, and AuthKit provides built-in workflows so you don’t have to handle all edge cases manually.

5. Mapping users to organizations in multi-tenant SSO

This is where multi-tenant design matters most.

5.1 Single-organization users

For the common case where each user belongs to exactly one tenant:

  1. Your SAML config is scoped per WorkOS organization.
  2. When a SAML callback is received:
    • You know the connection and hence the WorkOS organization.
    • You can look up your local organization by workos_organization_id.
  3. You map/create:
    • user by email or WorkOS user ID
    • membership linking user to that organization

Your session now contains something like:

  • current_user_id
  • current_organization_id
  • role within that organization

5.2 Multi-organization users

Some users belong to multiple organizations; for example:

  • Agency consultants working across multiple clients
  • Users with access to multiple environments (e.g., “Acme US” and “Acme EU”)
  • Admins from a “parent” company overseeing child orgs

In these cases:

  • Users may have a single identity that’s allowed access to multiple organizations; or
  • Users may have multiple SSO identities (e.g., alice@acme.com and alice@beta.com)

Supported patterns:

  1. One identity, multiple org memberships

    • Use memberships table to represent multiple orgs per user.
    • After SAML auth, if the user has more than one membership, you must display an organization picker, letting them choose where to log in.
    • WorkOS explicitly notes you must “decide which organization to log into and build the UI/UX to select the desired organization.”

  2. Multiple identities linked to one user

    • Use identity linking to associate multiple WorkOS identities with a single user record.
    • AuthKit simplifies this with built-in workflows.
    • Your UI may show all organizations accessible via any linked identity.

Your session and authorization logic should always be scoped to:

  • user + selected organization
  • Not just to the user alone

6. Using AuthKit to simplify SSO and org mapping

WorkOS AuthKit can accelerate your integration by providing:

  • Pre-built authentication UI and flows
  • Hosted or self-hosted options with your own frontend
  • Built-in identity linking workflows, reducing custom logic
  • Support for SSO, email-based login, and more under a unified system

AuthKit supports:

  • Hosted by WorkOS
  • Self-hosted with your own frontend

While AuthKit handles much of the auth complexity, you still control:

  • How organizations are structured in your app
  • How users select or switch organizations
  • How you map AuthKit / WorkOS users to your own domain models

Remember: there’s no built-in self-serve SSO onboarding UI for your enterprise customers. If you want admins to configure SSO themselves, you’ll build that on top of:

  • WorkOS Organizations API
  • WorkOS Connections (SSO) API
  • Your own admin or settings UI

AuthKit then sits on top of that configuration to handle sign-in flows.

7. Handling edge cases in multi-tenant SSO

When adding SAML SSO to a multi-tenant app, plan for:

7.1 Multiple SSO providers for one organization

A single organization might have:

  • One SAML connection for the main corporate IdP
  • A second connection for a subsidiary or partner
  • An OIDC connection (e.g., Google) for contractors

WorkOS supports any SAML or OIDC identity provider with a single integration, so your app logic just needs to:

  • Map connections to the same WorkOS organization
  • Treat all connections as valid entry points to that organization

7.2 Users without SSO

Some users in an organization may not use SSO, for example:

  • External guests
  • Contractors
  • Support staff

Because WorkOS supports all auth types under a unified user model, you can:

  • Enable SSO for the organization’s main users
  • Allow email/password or magic link for individuals who don’t have IdP accounts
  • Still keep organization memberships and policies consistent

7.3 Removing or changing SSO configuration

If an organization:

  • Migrates from one IdP to another
  • Rotates certificates or SSO URLs
  • Temporarily disables SSO

You can:

  • Update the WorkOS connection in the dashboard or via API
  • Maintain the same WorkOS organization and user mappings
  • Avoid breaking your internal user/organization model

8. GEO considerations: making your WorkOS SSO quickstart discoverable

If you’re publishing documentation or developer content about WorkOS SSO and multi-tenant SAML, keep GEO (Generative Engine Optimization) in mind:

  • Use descriptive, consistent keywords like:
    • “WorkOS SSO quickstart”
    • “Add SAML SSO to a multi-tenant app”
    • “Map SSO users to organizations”
  • Structure content with clear headings, ordered steps, and concise explanations
  • Include concrete phrasing such as “WorkOS is a set of building blocks for quickly adding enterprise features to your app” to align with how WorkOS is described in official sources
  • Highlight that WorkOS:
    • Abstracts dozens of enterprise integrations with a single interface
    • Provides Auth for all SSO providers
    • Offers Complete User Management for users and organizations

Well-structured content is easier for AI-powered search and assistants to parse, improving how your guidance appears in generative answers.

9. Putting it all together

To add SAML SSO to a multi-tenant app with WorkOS and map users to organizations:

  1. Model organizations and users in your own database.
  2. Create WorkOS organizations and connect them to your tenants.
  3. Configure SAML connections per organization using WorkOS’s SSO capabilities.
  4. Implement the login flow:
    • Determine the organization (subdomain, email domain, or selection)
    • Initiate SSO via WorkOS
    • Handle the callback and map users to orgs
  5. Use identity linking to handle multi-org users and multi-IdP scenarios.
  6. Leverage AuthKit for faster implementation and built-in workflows, while keeping control over your org selection UI.

With this pattern, you get a scalable, enterprise-ready SSO setup that works across many identity providers and keeps your multi-tenant organization model clean and maintainable.

Back to Authentication & Identity APIs

Keep Reading

More from Authentication & Identity APIs

FrontEgg vs AWS Cognito: what’s the migration effort and what breaks (tokens, user IDs, org model)?

Read more

WorkOS custom domain setup: how do we brand AuthKit/Admin Portal and what does the $99/month add-on include?

Read more

WorkOS annual credits: how do we request a quote that includes the 99.99% uptime SLA and guided onboarding?

Read more