> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation.
>
> - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install <auth-type>@scalekit-auth-stack`
> - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install <auth-type>@scalekit-auth-stack`
> - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `<auth-type>`
> - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill <skill-name>`
>
> `<auth-type>` / `<skill-name>`: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# Ways to implement SSO logins

Single sign-on (SSO) login requires careful UX design to balance enterprise authentication requirements with user experience. Your login page must accommodate both SSO users (who authenticate through their organization's identity provider) and non-SSO users (who use passwords or social authentication).

This guide presents three proven UX strategies for adding SSO to your login page. Each strategy offers different trade-offs between user experience, implementation complexity, and administrative control. Choose the approach that best fits your users' needs and your application's architecture.

The right strategy depends on your user base: identifier-driven flows work best when admins control authentication methods, explicit SSO buttons give users choice, and organization-specific login pages simplify enterprise deployments.

<br />
<div style="max-width: 500px; margin: 0 auto;">

![Login page with password and social auth methods](@/assets/docs/sso/ux-strategies/simple_login_page.png)

</div>

## Strategy 1: Identifier-driven single sign-on

Collect the user's email address first. Use the email domain or organization identifier to determine whether to route to SSO or password-based authentication.

![Identifier-driven login](@/assets/docs/sso/ux-strategies/identifier_first_login.png)

Users don't choose the authentication method. This reduces cognitive load and works well when admins mandate SSO after users have already logged in with passwords. Popular products like [Google](https://accounts.google.com), [Microsoft](https://login.microsoftonline.com), and [AWS](https://console.aws.amazon.com/console/) use this strategy.

## Strategy 2: Login with single sign-on button

Add a "Login with SSO" button to your login page. This presents all authentication options and lets users choose their preferred method.

<br />
<div style="max-width: 500px; margin: 0 auto;">

![Explicit option for login with SSO](@/assets/docs/sso/ux-strategies/sso_button_login.png)

</div>

If a user attempts password login but their admin mandates SSO, force SSO-based authentication instead of showing an error. Popular products like [Cal.com](https://app.cal.com/auth/login) and [Notion](https://www.notion.so/login) use this strategy.
**Tip:** If a user chooses an authentication method like social login, verify their identity and the appropriate authentication method. If the user must authenticate through SSO, prompt them to re-authenticate through SSO.

## Strategy 3: organization-specific login page

Serve different login pages for each organization instead of a single login page. For example, `https://customer1.b2b-app.com/login` and `https://customer2.b2b-app.com/login`. Show only the authentication methods applicable to that organization based on the URL.

Popular products like [Zendesk](https://www.zendesk.com/in/login/) and [Slack](https://scalekit.slack.com/) use this strategy. The drawback is that users must remember their organization URL to access the login page.

---

## Next steps

After implementing your chosen SSO login strategy:

- [Pre-check SSO by domain](/guides/user-auth/check-sso-domain/) - Validate email domains have active SSO before redirecting
- [Complete login with code exchange](/authenticate/fsa/complete-login/) - Exchange authorization codes for user data and tokens
- [Manage user sessions](/authenticate/fsa/manage-session/) - Store and validate session tokens securely

---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |