A SaaS founder told me: 'We lost a $50K/year enterprise deal because we didn't support SAML SSO. The sales cycle was 3 months, and the deal died in the security review.' He added WorkOS SSO in 2 days. The next enterprise deal closed.
What WorkOS Offers for Free
WorkOS free tier:
- 1 million monthly active users for AuthKit (authentication)
- 5 SSO connections — SAML, OIDC, Google, Microsoft, etc.
- 5 directory sync connections — Okta, Azure AD, Google Workspace
- Admin Portal — self-serve SSO setup for customers
- User Management — built-in auth with MFA
- Organization management — multi-tenancy built in
Quick Start
npm install @workos-inc/node
const { WorkOS } = require('@workos-inc/node');
const workos = new WorkOS(process.env.WORKOS_API_KEY);
SSO (Single Sign-On)
// Generate SSO authorization URL
const authorizationUrl = workos.sso.getAuthorizationUrl({
organization: 'org_123', // Customer's org
redirectUri: 'https://yourapp.com/callback',
clientId: process.env.WORKOS_CLIENT_ID
});
// Redirect user to authorizationUrl
// After they authenticate with their IdP, they come back to your callback:
app.get('/callback', async (req, res) => {
const { code } = req.query;
const { profile } = await workos.sso.getProfileAndToken({
code,
clientId: process.env.WORKOS_CLIENT_ID
});
// profile contains: id, email, firstName, lastName, organizationId
const user = await findOrCreateUser(profile);
const session = createSession(user);
res.redirect('/dashboard');
});
AuthKit (Full Authentication)
// Complete auth flow with MFA, social login, email+password
const authorizationUrl = workos.userManagement.getAuthorizationUrl({
provider: 'authkit',
redirectUri: 'https://yourapp.com/callback',
clientId: process.env.WORKOS_CLIENT_ID
});
// Handle callback
app.get('/callback', async (req, res) => {
const { user, organizationId } = await workos.userManagement.authenticateWithCode({
code: req.query.code,
clientId: process.env.WORKOS_CLIENT_ID
});
console.log(user.email, user.firstName);
});
Directory Sync
// List directory users (synced from Okta, Azure AD, etc.)
const { data: users } = await workos.directorySync.listUsers({
directory: 'directory_123'
});
users.forEach(user => {
console.log(`${user.firstName} ${user.lastName} — ${user.emails[0].value}`);
});
// Listen for directory events via webhook
app.post('/webhooks/workos', (req, res) => {
const event = req.body;
switch (event.event) {
case 'dsync.user.created':
createLocalUser(event.data);
break;
case 'dsync.user.deleted':
deactivateLocalUser(event.data);
break;
case 'dsync.group.updated':
updateTeamMembership(event.data);
break;
}
res.sendStatus(200);
});
Admin Portal (Self-Serve SSO Setup)
// Generate a portal link for your customer's IT admin
const portalLink = await workos.portal.generateLink({
organization: 'org_123',
intent: 'sso' // or 'dsync' for directory sync
});
// Send portalLink.link to your customer
// They can configure SSO themselves without your help
REST API
# List organizations
curl 'https://api.workos.com/organizations' \
-H 'Authorization: Bearer sk_YOUR_API_KEY'
# Get user
curl 'https://api.workos.com/user_management/users/user_123' \
-H 'Authorization: Bearer sk_YOUR_API_KEY'
# Create organization
curl -X POST 'https://api.workos.com/organizations' \
-H 'Authorization: Bearer sk_YOUR_API_KEY' \
-H 'Content-Type: application/json' \
-d '{"name": "Acme Corp", "domains": ["acme.com"]}'
Perfect For
- B2B SaaS — enterprise SSO is table stakes for big deals
- Multi-tenant apps — organization + directory sync built in
- Compliance — SOC 2, HIPAA require SSO
- Developer tools — GitHub/GitLab-style org management
Need to scrape enterprise data? Check out my web scraping actors on Apify — secure, managed data collection.
Need enterprise auth integration? Email me at spinov001@gmail.com.
Top comments (0)