Enterprise customers increasingly demand SSO (Single Sign-On) and SCIM (System for Cross-domain Identity Management) capabilities for efficient user management. SSO allows employees to log into various applications using their company credentials, while SCIM automates user provisioning and deprovisioning based on changes in the identity provider (IdP). For instance, when a new employee is added to Okta, they are automatically created in your app. Conversely, if someone leaves the company, their access is revoked immediately. This integration helps streamline user management and enhances security. When implementing SSO and SCIM, a key architectural decision revolves around how to handle existing accounts when a user tries to log in with SSO. Two main options exist: merging the existing account with the SSO account or treating the SSO account as a separate entity. Merging allows the user to retain all their data but requires careful management, including an email confirmation step to ensure account ownership. Keeping accounts separate simplifies the implementation but risks user confusion and access loss. Adding SSO support involves three main tasks: allowing customers to configure SSO settings, updating the login flow, and managing SSO callbacks. Customers must provide specific information like client_id, client_secret, and redirect_uri. The login flow can either prioritize SSO by checking if an email domain matches an IdP or maintain a separate option for SSO logins. Regardless of the flow chosen, the process requires redirecting users to the IdP for authentication and then handling the callback to create user sessions in your application. This setup is essential for any product targeting mid-sized or larger companies.