Delegated SSO

Allow your customers to easily integrate their own Identity Providers

Delegated SSO: Multi-Customer IDP Support

Support all your customer IDPs with a single integration. No more building separate connectors for Okta, Azure AD, Google Workspace, and others.

Overview

Delegated SSO acts as a universal translator between your application and any identity provider your customers use, eliminating the need to build separate integrations for each IDP.

Key Benefits:

Universal Translation: One integration supports all customer IDPs - Okta, Azure AD, Google Workspace, and 20+ others
Customer Self-Service: Your customers can configure their own identity providers using guided wizards - no Authonomy account required
Flexible Architecture: Choose between Authonomy as the broker, or configure your preferred provider (like Okta) to federate with customer IDPs

How It Works

graph TB
    A[Your App] --> B[Authonomy]
    B --> C[Okta]
    B --> D[Azure AD]
    B --> E[Google]
    B --> F[SAML]

Your app makes the same API call regardless of customer
Authonomy routes to the correct customer IDP
Customer IDP authenticates the user
Authonomy returns standardized user data to your app

Deployment Models

Choose the architecture that best fits your needs:

Option 1: Authonomy as Universal Broker

Authonomy acts as the central broker for all customer authentications:

graph TB
    A[Your App] --> B[Authonomy]
    B --> C[Okta]
    B --> D[Azure AD]
    B --> E[Google]
    B --> F[SAML]

Best for: Teams who want to outsource all IDP complexity and focus on their core product.

→ Learn how to implement Authonomy as Universal Broker

Option 2: Configuration-Time Orchestration

Authonomy orchestrates the setup and configuration of customer IDPs in your existing infrastructure, then stays out of the runtime authentication flow:

graph TB
    A[Your App] --> B[Your Okta]
    B --> C[Customer A - Azure AD]
    B --> D[Customer B - Google]
    B --> E[Customer C - SAML]
    
    subgraph "Authonomy (Configuration Only)"
        F[Self-Service Setup]
        G[IDP Configuration]
        H[Federation Setup]
    end
    
    F -.->|"Configures"| C
    G -.->|"Configures"| D  
    H -.->|"Configures"| E

Best for: Teams already invested in a specific IDP who want customer self-service configuration without runtime dependencies on Authonomy.

→ Learn how to implement Configuration-Time Orchestration

Implementation Approaches

Choose the deployment model that best fits your architecture and organizational needs:

Runtime vs Configuration-Time Involvement

Option 1: Runtime Broker - Authonomy actively participates in every authentication flow, handling routing and user authentication at runtime. Your application integrates with Authonomy as the identity provider.

Option 2: Configuration-Time Orchestrator - Authonomy orchestrates the setup and configuration of customer IDPs, then steps out of the authentication flow entirely. Your existing IDP handles all runtime authentication using standard federation.

Key Differences

Aspect	Option 1: Runtime Broker	Option 2: Configuration-Time
Runtime Dependencies	Authonomy in every auth flow	Zero dependencies after setup
Network Hops	App → Authonomy → Customer IDP	App → Your IDP → Customer IDP
Code Changes	New SAML/OIDC integration	No changes to existing auth
Customer Self-Service	Through Authonomy UI	Through embedded widgets
Latency	Additional network hop	Direct federation
Control	Centralized through Authonomy	Direct control via your IDP

Both approaches enable the same outcome: seamless authentication across all customer IDPs with powerful self-service capabilities.

Customer Configuration

Regardless of which deployment model you choose, Authonomy provides flexible customer configuration options:

Customer Self-Service (Recommended)

Empower your customers to configure their own IDPs - no engineering involvement required.

Your customers use embedded configuration wizards directly within your application:

Start from your app: Customer accesses IDP setup through your existing interface
Choose their IDP: Select from 20+ supported providers (Okta, Azure AD, Google, etc.)
Follow guided wizards: Step-by-step instructions with copy/paste configuration
Test integration: Verify everything works before going live
Go live: Instantly available to their users

🚀 Zero-Touch Onboarding: Customers can complete IDP setup in under 10 minutes without any support from your team or knowledge of Authonomy. This dramatically reduces your sales cycle and support overhead.

Programmatic Configuration

For advanced use cases, you can also configure customer IDPs programmatically through Authonomy’s management APIs. See the detailed implementation guides for specific API endpoints and examples.

Supported Identity Providers

Authonomy supports 20+ identity providers out of the box:

Enterprise IDPs

Okta (SAML 2.0, OIDC)
Azure Active Directory (OIDC, SAML 2.0)
Google Workspace (OIDC)
Microsoft ADFS (SAML 2.0, WS-Federation)
Ping Identity (SAML 2.0, OIDC)
Auth0 (OIDC)
OneLogin (SAML 2.0, OIDC)
JumpCloud (SAML 2.0)

Generic Support

Generic SAML 2.0 (any compliant provider)
Generic OIDC (OpenID Connect)
Generic OAuth 2.0

Development/Testing

Username/Password (for development)
Demo Provider (testing without real IDP)

ℹ️ New IDP Support: Need support for a specific IDP? Contact us - we typically add new providers within 2 weeks.

Advanced Features

Both deployment models support advanced features including:

Group/Role Mapping: Map customer IDP groups to your application roles
Just-In-Time Provisioning: Automatically create users in your system during first login
Multi-Tenancy Support: Support customers with multiple IDPs
Smart Authentication Routing: Route users to the right IDP based on email domain, user attributes, or custom logic
Comprehensive Error Handling: Handle various authentication failure scenarios gracefully
Testing Support: Test with multiple IDP types in development

See the detailed implementation guides for specific examples and API endpoints for these features.

Next Steps

Choose your implementation approach:

Authonomy as Universal Broker - Complete implementation guide for Authonomy-centric approach
Customer IDP as Broker - Complete implementation guide for customer IDP-centric approach
Connecting Okta - Specific Okta setup guide
Connecting Azure AD - Azure AD configuration
Identity Visibility - Monitor your Delegated SSO
API Reference - Complete authentication API

Delegated SSO solves your multi-customer IDP challenge once and for all. Get Early Access to start supporting all customer IDPs today.